Is Facebook’s Breach a Lens to Reexamine LinkedIn?

With daily revelations about Facebook, and our data (and I use that term loosely), and the nuances of constitutes privacy on the aforementioned social network, do we ever stop and think about our relationship with LinkedIn. I’m not talking about our reliance on the social media site, but instead, I want to raise questions about our perceived safety on the site. Each day we log in and absorb, truncate, and analyze the who, what, when, where, and if’s of connecting new opportunities to the aggregation of personal information without significant safety controls. Yes, there’s LinkedIn jail for those of us who use those taboo Chrome extensions. Then, there are the “newsletters” irritating all your email contacts, and providing an endless stream of scams and phishing via Inmail and/or email.

Yes, quite literally, every day someone gets hacked. Whether that’s a telecommunications company having its customer data stolen, or another chain of businesses being ripped for all the credit cards it processes, today one hack just seems to melt into another.

LinkedIn was hacked six years ago, and what initially seemed to be a theft of 6.5 million passwords has actually turned out to be a breach of 117 million passwords. This episode drudges up some embarrassing history for LinkedIn – a history that maybe we forget unless reexamined under the auspices of the recent Facebook hack.

Because of the company’s old security policy, these passwords are easy for hackers to crack in a matter of days. Companies typically protect customer passwords by encrypting them. But at the time of the 2012 data breach, LinkedIn hadn’t added a pivotal layer of security that makes the jumbled text harder to decode.

While many recruiters can’t break their LinkedIn habit (I’m one of them; it continues to be my primary source of hire), the recent Facebook imbruglio does raise an interesting question about our reliance on the social network. While I claim reliance, what I do have that many don’t is a luxury of being able to find candidates without solely relying upon LinkedIn. Recruiters are the reason that LinkedIn ever achieved profitability in 2006. (Instagram is my new favorite. It’s free. I digress, but just like LinkedIn, I realize I’m the product.) At LinkedIn, we are the bacon, or the BacIn. While many of us do not have the luxury of severing from social media without a second thought, it’s worth knowing what’s happening with your data at LinkedIn and making an informed decision about how your data could be breached.

 

THE ILLUSION OF PRIVACY

Originally, LinkedIn started with not much concern for privacy. They wanted more people on the site and struck up a deal to make sure that the site was indexed effectively. From 2003 to 2016, LinkedIn grew from 500,000 users to over 500 million members. Call it virality. 

If you’re on a social media platform, you want to share, right?

Well, typically that’s at your discretion, not an algorithm’s and certainly not one that loves to share indiscriminately.

Has that changed today? LinkedIn made strides with their privacy controls, but it still has a few problems baked into the core of the service.

 

INDEXING

Currently, new profiles default to allow search engine crawlers to access your name, title, current company, and picture. While you can switch that option off easily, if you don’t do it quick enough, that information will be indexed and public, irrespective of any subsequent privacy changes you make.

Searching within LinkedIn based on information you get from Google Cache will often yield profiles of people who thought they set their data to private. The company identified its major growth channels by studying what users were doing and how they were finding the site. Virality and search engine optimization were key ones for LinkedIn, but those key drivers are different for different companies at different times.

 

A COMPLICATED YIELD

Reducing trust to a “yes” or “no” question reduces the barrier to entry for information thieves. It’s a trivial matter to observe a target’s position within the network, join their peripheral interests or third-degree connections, then use the automatic increase in access to appear more trusted in a later attack. There really isn’t an effective defense against this sort of social network attack because it depends on every single member of the network being forever vigilant.

We, recruiters, play the other portion of the field. “We figured [subscriptions] would help us get to profitability fast: We launched subscriptions, which was enhanced communications and search capability. People need to talk to people they don’t already know in order to get the job done. That’s the plural majority of (their) our business today.”

At a 2012 Growth Hacker’s Conference, LinkedIn’s Elliot Shmukler gave a talk on “Lessons Learned While Growing LinkedIn from 13 to 175 Million Users.” According to Shmukler, LinkedIn learned that “it’s easier to focus on a strength than improve a weakness.” Shmukler provided the following numbers, representing the growth channels that LinkedIn focused on improving in 2008: email invites and sign-ups from homepage views.

Driving 40% of signups, the LinkedIn homepage was already a clear strength for the company, whereas email invitations, accounting for just 4%, were a clear weakness.

Their data indicated that people who arrived at the site organically visited, on average, thirty pages per session, while people coming through an invite visited, on average, just ten pages per session. They drew the conclusion that invites were not attracting highly engaged visitors, and therefore not a channel that would be a big success regardless of how they grew it. In other words, email invites were not one of their strengths when it came to driving growth.

Article Continues Below

Understanding that LinkedIn was already doing a good job with users arriving to the homepage organically, they chose to double down on this group—since they were already the more engaged segment—by removing as much friction as possible from their user experience.

This was a smart move on LinkedIn’s part. LinkedIn was able to grow in four months almost the same number of signups from homepage improvements as they did over two years of email invite optimizations. Of course, a near doubling of the effectiveness of email invites is nothing to look down your nose at; but these numbers do indicate that when looking for significant gains in a relatively small timeframe, focusing on improving strengths presents a more powerful opportunity for growth.

Another example of playing up strengths comes from LinkedIn’s “Who’s Looked at Your Profile” emails. The emails had a 5% click-through rate (CTR) for inactive users, but a 20% CTR for active users. Rather than trying to woo inactive users, LinkedIn chose to once again focus on their strengths, making the emails more appealing to active users by testing subject lines, copy, and formatting. Shmukler sums up the core concept behind this, explaining, “It is easier to get an active user to do a lot more than to get an inactive user to do anything.”

 

ARBITRARY RELATIONSHIPS

As many of us know, LinkedIn has three levels of relationship weighting our first, second, and third-degree connections. Arguably, the end user has no control over who gets which category, and all three categories are based on network proximity.

Why is this a problem?

Because relationships aren’t symmetric, even though they’re supposed to be according to Reid Hoffman.

You might have a need for a contact’s email without wanting to disclose full info on yourself. However, network proximity weighting presumes equivalence for all contacts in each class. On the contrary, a second-degree connection might be of only occasional interest, while a first-degree connection might have utility for only a limited time.

With arbitrary policies determining the weight of all of your connections, it robs the end user of setting controls appropriate to each relationship. A great example of this is profile phishing. An attacker only needs to succeed once to become a first-degree connection and gain access to everything.  

 

PAST BEHAVIOR EQUALS FUTURE PERFORMANCE

As alluded to in my opening, LinkedIn has an extensive history of breaches, vulnerabilities, and personal data leaks for both their web and iOS platforms going back many years. At present, they patch quite quickly upon disclosure, but the slow and steady drip of sometimes serious vulnerabilities over years raises some concerns as to whether or not the platform has a culture of security, or insecurity.

Our continued reliance upon LinkedIn might suggest the future of Facebook. Seemingly as we fill the echo chamber with concerns about LinkedIn and it’s lack of privacy controls, web traffic would suggest that the users and daily time spent on the site grew 3x after the hack. Maybe such a hack or lack of privacy controls would spur growth amongst Facebook’s or Indeed’s user base. 

As a Big Data Practice Leader with Relus' recruiting team, Brian Fink focuses on driving talent towards opportunity. Eager to help stretch the professional capabilities of everyone he works with, he's helping startups, and enterprises transform their IT, Recruiting, Big Data, Product, and Executive Leadership teams. An active keynote speaker and commentator, Fink, thrives on discovery and building a better recruiting mousetrap.

Topics