Privacy and security fears dog LinkedIn's new email service

LinkedIn wants its users to hand over their email experience, worrying many that security concerns have not been addressed.

Let’s say I work for your phone company. I call you and make an offer: most of your calls are from friends and family, but occasionally business contacts use your home number. If you want - and for no extra charge! - whenever that happens I’ll call beforehand to give you a biography of that person before connecting them to you. Y’know, so you’re better prepared. The only condition is that you need to let me screen all of your calls before they get to you, so I know when you’ll need me to call you first.

Interested? I’m guessing you’re not - it sounds like a reasonably large invasion of privacy for a negligible payoff. And yet it’s not far from the offer LinkedIn has made when it comes to your email, with a new service it calls Intro for its users who are on iOS:

What's happening under the hood: without Intro, your Mail app connects directly to the servers of your email provider (e.g. Gmail or Yahoo!) to download messages. With Intro, your Mail app connects instead to the Intro servers, which fetch messages from your email provider and then pass them back to your Mail app. As the messages pass through the Intro servers, we add the social context that helps you be brilliant with people.

For each of your emails, Intro tries to find the sender of the message on LinkedIn. If we find information, we include it at the top of the message, and you can tap to see more detail.

In other words, your emails go to LinkedIn, and then to you. If one of those emails is coming from someone with a LinkedIn account, it’ll stick a little bar at the top of the message containing a condensed version of that person’s LinkedIn account. And if you send an email to anyone else, it’ll have something similar at the bottom that links to your LinkedIn account. Here’s what it looks like (as mocked-up by LinkedIn):

It might seem like a lot of bother, but for LinkedIn it’s worth it if it means people choose to turn the iPhone’s default Mail app into a de facto LinkedIn app. The benefit for the user is that it makes it easier to sort the spam from the wheat, but for LinkedIn the benefit is that they get to define how someone experiences email. That’s a powerful way to get people to pay attention to your site - and LinkedIn is fully aware of just how many of its users ignore all those update emails it sends out all the time.

However, remember that LinkedIn is reading your emails to do this, in a way that exactly mirrors a man-in-the-middle attack. That’s a type of attack where someone slips in between two other computers on a network, intercepting each message that gets passed along and reading it as it goes. Sure, you might consent to it when it’s LinkedIn doing it, but it creates an attractive new target. The weakest point in the network isn’t you, or your email provider, any more - it’s LinkedIn. The site’s reputation as secure was damaged greatly by the hack of 6.5 million user passwords last year, so, perhaps understandably, people have been sceptical of how safe Intro is.

Blog posts like this one at security consultancy Bishop Fox lay out several perceived problems - such as that it appears to break cryptographic email, that it could mean you waive your legal right to attorney-client privilege in private correspondence, that it could violate your company’s security policy, and that LinkedIn is generally quite vague about the details of how Intro works - have forced LinkedIn onto the back foot.

Cory Scott, LinkedIn’s senior manager of information security, has written on the company’s blog to try and reassure users that Intro is nothing to fear. He writes:

Many things have been said about the product implementation that are not correct or are purely speculative, so this post is intended to clear up these inaccuracies and misperceptions.

When the LinkedIn Security team was presented with the core design of Intro, we made sure we built the most secure implementation we believed possible. We explored numerous threat models and constantly challenged each other to consider possible threat scenarios.

Scott claims that an outside security firm - iSEC Partners - has gone through Intro’s code “line-by-line”, and that Bishop Fox was incorrect to claim that Intro breaks cryptography.

However, take a look on social media, or through reddit, and you’ll see people making a point that it’s harder for LinkedIn to refute: even if Intro is secure now, social networks are notorious for updates that render things insecure, or things that were once private no longer being so. Not saying that LinkedIn would do this deliberately - obviously, they wouldn't - but mistakes happen. And for many, Intro looks like it could be a pretty terrible mistake in the waiting.

LinkedIn Intro rejigs how Mail works on iOS. (Photo: ekkiPics/Flickr)

Ian Steadman is a staff science and technology writer at the New Statesman. He is on Twitter as @iansteadman.

Getty
Show Hide image

"We repealed, then forgot": the long shadow of Section 28 homophobia

Why are deeply conservative views about the "promotion" of homosexuality still being reiterated to Scottish school pupils? 

Grim stories of LGBTI children being bullied in school are all too common. But one which emerged over the weekend garnered particular attention - because of the echoes of the infamous Section 28, nearly two decades after it was scrapped.

A 16-year-old pupil of a West Lothian school, who does not wish to be named, told Pink News that staff asked him to remove his small rainbow pride badge because, though they had "no problem" with his sexuality, it was not appropriate to "promote it" in school. It's a blast from the past - the rules against "promoting" homosexuality were repealed in 2000 in Scotland, but the long legacy of Section 28 seems hard to shake off. 

The local authority responsible said in a statement that non-school related badges are not permitted on uniforms, and says it is "committed to equal rights for LGBT people". 

The small badge depicted a rainbow-striped heart, which the pupil said he had brought back from the Edinburgh Pride march the previous weekend. He reportedly "no longer feels comfortable going to school", and said homophobia from staff members felt "much more scar[y] than when I encountered the same from other pupils". 

At a time when four Scottish party leaders are gay, and the new Westminster parliament included a record number of LGBTQ MPs, the political world is making progress in promoting equality. But education, it seems, has not kept up. According to research from LGBT rights campaigners Stonewall, 40 per cent of LGBT pupils across the UK reported being taught nothing about LGBT issues at school. Among trans students, 44 per cent said school staff didn’t know what "trans" even means.

The need for teacher training and curriculum reform is at the top of campaigners' agendas. "We're disappointed but not surprised by this example," says Jordan Daly, the co-founder of Time for Inclusive Education [TIE]. His grassroots campaign focuses on making politicians and wider society aware of the reality LGBTI school students in Scotland face. "We're in schools on a monthly basis, so we know this is by no means an isolated incident." 

Studies have repeatedly shown a startling level of self-harm and mental illness reported by LGBTI school students. Trans students are particularly at risk. In 2015, Daly and colleagues began a tour of schools. Shocking stories included one in which a teacher singled out a trans pupils for ridicule in front of the class. More commonly, though, staff told them the same story: we just don't know what we're allowed to say about gay relationships. 

This is the point, according to Daly - retraining, or rather the lack of it. For some of those teachers trained during the 1980s and 1990s, when Section 28 prevented local authorities from "promoting homosexuality", confusion still reigns about what they can and cannot teach - or even mention in front of their pupils. 

The infamous clause was specific in its homophobia: the "acceptability of homosexuality as a pretended family relationship" could not be mentioned in schools. But it's been 17 years since the clause was repealed in Scotland - indeed, it was one of the very first acts of the new Scottish Parliament (the rest of the UK followed suit three years later). Why are we still hearing this archaic language? 

"We repealed, we clapped and cheered, and then we just forgot," Daly says. After the bitter campaign in Scotland, in which an alliance of churches led by millionaire businessman Brian Souter poured money into "Keeping the Clause", the government was pleased with its victory, which seemed to establish Holyrood as a progressive political space early on in the life of the parliament. But without updating the curriculum or retraining teaching staff, Daly argues, it left a "massive vacuum" of uncertainty. 

The Stonewall research suggests a similar confusion is likely across the UK. Daly doesn't believe the situation in Scotland is notably worse than in England, and disputes the oft-cited allegation that the issue is somehow worse in Scotland's denominational schools. Homophobia may be "wrapped up in the language of religious belief" in certain schools, he says, but it's "just as much of a problem elsewhere. The TIE campaign doesn't have different strategies for different schools." 

After initial disappointments - their thousands-strong petition to change the curriculum was thrown out by parliament in 2016 - the campaign has won the support of leaders such as Nicola Sturgeon and Kezia Dugdale, and recently, the backing of a majority of MSPs. The Scottish government has set up a working group, and promised a national strategy. 

But for Daly, who himself struggled at a young age with his sexuality and society's failure to accept it, the matter remains an urgent one.  At just 21, he can reel off countless painful stories of young LGBTI students - some of which end in tragedy. One of the saddest elements of the story from St Kentigern's is that the pupil claimed his school was the safest place he had to express his identity, because he was not out at home. Perhaps for a gay pupil in ten years time, that will be a guarantee. 

0800 7318496