Linkedin creepyness

[GK]

Although I have just deleted it, until 30 minutes ago I did not have a Linkedin account. Very strange process - in the 3rd or 4th step I was given the option of selecting contacts from a list of suggestions. 1st in the list was Dave Jones of EEVBlog and about half a dozen other names that I recognized from past emails, some even dating back a couple of years. Very creepy indeed, considering that I have never had anything to do with Lindedin.

But anyway, the reason I temporarily created an account was so that I could view this one:

http://au.linkedin.com/pub/glen-kleinschmidt/75/b77/146

I've had a couple of nonsensical emails recently and I'd like to know if it's a legitimate account or an impersonator. There can't be too many people down here with the same name after all. However with a "basic" account sign up I still wasn't able to view anything. Can anyone here with a paid-up account have a peek?

[Legit-Design]

Very creepy indeed, considering that I have never had anything to do with LinkedIn.

Maybe the other people have imported their contact list into linkedin thats how linkedin knows they are your contacts. You probably have cookies from linkedin also, they track you with a cookie everytime you visit their site. You have probably searched for Dave Jones and visited his linkedin page, you don't need to be logged in to be tracked.

Google actually pretends sometimes that they don't know something about you, just so they don't creep you out.

[GK]

Nope, never visited any Linkedin pages. Must be via other peoples contact lists. Going off topic a bit, Google is really starting to s%^t me in general. The only thing of theirs I currently have an account with is Youtube, and I am seriously considering deleting that too.

[IanB]

When you join LinkedIn you are presumed to use your real name (else, how would anyone else recognize you or endorse you?). So once you provide your real name, you find out how much the Internet knows about you (which is perhaps rather more than you thought it did).

I think you have to get used to the connected world. Information flows two ways, and if you use the Internet as a mine of information then you will get mined too. Just how it goes...

[GK]

When you join LinkedIn you are presumed to use your real name (else, how would anyone else recognize you or endorse you?).

Well, I think that you need to provide a little more information than just your name. Other people need to be able to differentiate and not confuse you from a potential list of others having the same name. There is already an account on Linkedin under my name. It may very well be a legitimate account by someone with the same (not very common) name, but since the person who created the account has apparently decided to publicly block all personal information with the exception of the country in which they live, who can tell?

I've already been told I'm on Linkedin.

[zapta]

GK, did you entered your real name and email when you created the linkedin account?   

(hint:  mailintor.com, fake information and incognito windows are your friends with junk accounts).

[mikeselectricstuff]

I'm sure they just send to emails other members have given as contacts - I get them occasionally, most from people I've dealt with in the past

[Rufus]

Going off topic a bit, Google is really starting to s%^t me in general. The only thing of theirs I currently have an account with is Youtube, and I am seriously considering deleting that too.

Google - "don't be evil" (as long as we get to define evil). Google suck but people who let them suck more.

The only built in backup (and sync) option on android devices is to Google servers. I imagine most (dumb) android users have it turned on.

There has been some stink about that including WiFi passwords which means Google probably has the password for every WiFi node every android device has ever connected to.

Reality is they have most of the information anyone has ever entered into an android device.

How hard would it be to encrypt that information locally before giving it to Google to store? Not hard at all, even optionally for people who can't be arsed to enter a password once when the want to restore or sync on a different device.

The only possible reason I can see for not providing an encryption option is that Google want to be able to read all that information which means they probably do and of course so can the NSA when it wants to.

[Legit-Design]

There has been some stink about that including WiFi passwords which means Google probably has the password for every WiFi node every android device has ever connected to.

I wouldn't be too worried about this, 95% the time wireless security is a joke anyways.

[nitro2k01]

I can see two ways this could have happened.
1) You were asked for your GMail password, so they could look for potential contacts, or LinkedIn asked for permission to access this information through 3rd-party authentication.
2) If they asked you about and you remember declining, there's also the possibility that someone else consented, and all their contacts got added to LI's database, waiting for the other people on the list to join the service. And now you did.

[zapta]

The only built in backup (and sync) option on android devices is to Google servers. I imagine most (dumb) android users have it turned on.

Android is an open source system and its backup manager supports plug in backup transports. Vendors can implement their own transport and backends if they wish.

Same can be done by third party app. Do It Tommorow for example syncs its todo list to its own servers.

How hard would it be to encrypt that information locally before giving it to Google to store? Not hard at all, even optionally for people who can't be arsed to enter a password once when the want to restore or sync on a different device.

You can turn the remote backup off all together (Settings | Backup) and do your own off line backup/restore (search google for 'adb backup').

The only possible reason I can see for not providing an encryption option is that Google want to be able to read all that information which means they probably do and of course so can the NSA when it wants to.

That's a guilty-until-proven-innocent speculation.

The bottom line is that Android provides tons of options. Don't like the Google apps and market, you can use F-Droid  GetJar and the likes. Don't like the Google home launcher, use a third party launcher. I used for years a rooted phones with open source ROMs, Titanium Backup, ROM Manager, and the whole shebang. This days I don't 'dick' (an Aussie  expression?) with it as much much, I found happiness with the stock Nexus software and a few options turned off.

[GK]

I recently had to attend a compulsory IT security seminar to get up to speed on policy changes being made at work. As an introduction the presenter (some ex military dude) pointed each of us out in turn and asked what kind of phone we use. Anyone holding up an Android or "i" phone (not me) got the curt response "you're fucked".

[TerraHertz]

Some time ago I made the huge mistake of starting a linkedin account.
Yes, it got _very_ creepy. That thing is a damned menace. I was getting contact requests that purported to be personal requests, from people who I'd distantly heard of, and I'm certain were not actually asking me to link. And by 'distant', I mean really, really tenuous connections, that linkedin should not have been able to deduce. Nor would I want them to try.

Eventually I deleted the account. But first had to go to http://justdelete.me/  to work out how to do it.

Very useful site that.

Now google+ is going the same way. Ebay too, with their absurd 'share your follows' insanity. All trying to be Facebook, as if that's a good thing.

It's nice to see there's some resistance and backlash, with more and more people realizing that privacy is an essential element of civilization. Snowden being just one outstanding example. Another:
http://www.techdirt.com/articles/20131001/11360024716/privacy-is-part-civilized-society-theres-no-defense-having-it-taken-force.shtml

[Len]

LinkedIn will rifle through your email contact list, after "asking permission" in fine print that no-one notices:

http://nakedsecurity.sophos.com/2013/09/24/linkedin-denies-charges-that-it-hacks-users-email/

[amyk]

LinkedIn will rifle through your email contact list, after "asking permission" in fine print that no-one notices:

http://nakedsecurity.sophos.com/2013/09/24/linkedin-denies-charges-that-it-hacks-users-email/

From that article:

If a LinkedIn user has logged out of all their email applications, LinkedIn requests the username and password of an external email account to ostensibly verify the identity of the user.

Anyone who says "yes" to that clearly deserves what happens to them; it's like falling for a phish, except even more stupid. Doesn't LI have their own accounts? The only login information I'm giving a website is the login for that site, nothing else.

Then again, what else would you expect from a company named Linked In...

[Bored@Work]

From that article:

If a LinkedIn user has logged out of all their email applications, LinkedIn requests the username and password of an external email account to ostensibly verify the identity of the user.

Anyone who says "yes" to that clearly deserves what happens to them; it's like falling for a phish, except even more stupid. Doesn't LI have their own accounts? The only login information I'm giving a website is the login for that site, nothing else.

Then again, what else would you expect from a company named Linked In...

There is an other question in that quote. What if a user hasn't logged out of all email applications? Do they want to imply that in this case LinkedIn helps itself to the data? And how? A web site should not have access to other applications on a computer or other open web applications.

[jancumps]

From that article:

If a LinkedIn user has logged out of all their email applications, LinkedIn requests the username and password of an external email account to ostensibly verify the identity of the user.

Anyone who says "yes" to that clearly deserves what happens to them; it's like falling for a phish, except even more stupid. Doesn't LI have their own accounts? The only login information I'm giving a website is the login for that site, nothing else.

Then again, what else would you expect from a company named Linked In...

There is an other question in that quote. What if a user hasn't logged out of all email applications? Do they want to imply that in this case LinkedIn helps itself to the data? And how? A web site should not have access to other applications on a computer or other open web applications.

Indeed. linkedIn only has access to what members give it. It can't get out of its sandbox and grab info of other sessions you might have open.

LinkedIn has an explicit option to import mail addresses, and that explicit option ecplicitely asks you to log in to your mail account, so that LI can retrieve the contacts. That happens only once at the time the explicit approval is given to LI.  There's no secrets behind this.
So in the OP case, one of the people he mailed with in the past must have given LI explicit access to the mail addresses.

(Did i overuse the word explicit?)

[Rick Law]

Indeed. linkedIn only has access to what members give it. It can't get out of its sandbox and grab info of other sessions you might have open.

LinkedIn has an explicit option to import mail addresses, and that explicit option ecplicitely asks you to log in to your mail account, so that LI can retrieve the contacts. That happens only once at the time the explicit approval is given to LI.  There's no secrets behind this.
So in the OP case, one of the people he mailed with in the past must have given LI explicit access to the mail addresses.

(Did i overuse the word explicit?)

Yeah, but who build the Sand Box?  Stuff on your machine is only guided as good as the least secured application on your machine guards it.  If I run JAVA, Oracle is a guardian of the Sand Box.  If I also run Chrome, then both Oracle and Google are the guardian.  If I run Windows as well, so Oracle, Microsoft, and Google are the guardian.

It is a sand box alright, just like the one in a children's park.  It is a sandbox, but everyone and anyone have access to it, and sands get everywhere, even into your car.

[jancumps]

I trust LinkedIn to not break the sandbox. They ae not a virus build company.
It's a company with commercial interest. They are not criminals.

[Rick Law]

I trust LinkedIn to not break the sandbox. They ae not a virus build company.
It's a company with commercial interest. They are not criminals.

In all probability, you are right that they do not intentionally break into the sandbox.

Since Google/Microsoft/Oracle/etc are "sandbox builders" and thus the guardian of what is inside and outside that sandbox.  They are service sellers, the possibility exist that they may leverage information outside of the "sandbox".  So, the possibility exist that other companies may buy those services.  They may not know or care if any portion of the service rely on stuff outside the "sandbox".  Either way your "outside the sandbox" info is leveraged.