LinkedIn recently unveiled "Intro", a service that adds social information to e-mail messages on Apple's mobile devices. Using Intro, when reading an e-mail on an iPhone or iPad, a context menu appears showing the sender's biographical information, sourced from the LinkedIn social network.
The menu can be expanded to reveal more information, edit notes and add the person as a LinkedIn contact. It's very clever software engineering, but it's also an incredibly bad idea, which exposes the user's e-mail to risk.
When we talk about the dangers of putting all our eggs in one basket, e-mail is, in a very real sense, the modern basket. Aside from all the personal information sitting in our e-mail archives, most online services can be managed, and passwords reset, via e-mail. The now infamous story of how Mat Honan's digital world was turned upside down all hinged around his violated e-mail accounts and, for most users, the risk is similar. For this reason, any service, app or browser add-on that grants a third-party full access to your e-mail should be viewed with deep suspicion. And Intro is all that and more.
Too clever for its own good
Intro is unquestionably a very clever hack. LinkedIn's engineers solved two key problems to make it work. First, they worked around the lack of JavaScript in the HTML renderer used by the iOS e-mail client, instead using clever CSS to display the information and, even better, to make it interactive (you can read the details of the CSS in question at LinkedIn's Intro page).
Second, to modify the e-mail content without access to the e-mail client itself, they embed the LinkedIn HTML content into the e-mail via a mail proxy, which operates similarly to a third-party filtering service like Mimecast - the proxy picks up your mail, adds the content, then sends it on to you.
The end result is a very slick presentation of LinkedIn content within the e-mail client on iOS devices. The engineers deserve plaudits for the hack, but the product should never have left the lab. The moment Intro was announced, LinkedIn found itself walking headfirst into a blizzard of criticism, and its hasty defensive reply did little to appease the observers.
The kludgey nature of the hack drew some ire. For example, relying on CSS workarounds is unreliable - an update to the e-mail client could render the extra material, or entire e-mails, unreadable. But the bulk of the criticism was around the security issues inherent in the mail proxy approach.
Security concerns
LinkedIn Intro functions by operating a proxy between you and your e-mail provider. In other words, all your e-mail, in- and out-bound, will now flow through LinkedIn's servers. It uses IMAP to ensure that e-mail is edited as it synchronises to the device, so that non-supported devices see only the original e-mail (since it will not use the proxy).
Any compliance requirement, or use policy, which requires e-mail to be shielded from third parties is immediately violated. Intro is the sort of man-in-the-middle attack that gives IT departments nightmares, and it's likely many organisations will take pre-emptive action to warn their users away from Intro.
This concern is compounded by the fact that Intro is altering your e-mails in transit, in ways you cannot predict, which also raises compliance flags.
Editing e-mail on the fly has another immediate implication for security - you can no longer rely on digital signatures, since the signed hash will definitely no longer match the message you receive.
There is also the risk of outage - adding another single point of failure to the chain of delivery raises the odds of e-mail becoming unavailable if the proxy server is offline. And there is the smaller, but real, risk of interoperability problems with other e-mail filtering services.
There are two deeper concerns here too. First up is LinkedIn's poor security track record.
LinkedIn's credibility question
In mid-2012, LinkedIn suffered a security breach, with Russian hackers stealing 6.5 million hashed passwords. That was bad, but the revelation that the passwords were unsalted (insecurely encrypted) deeply compounded the shame - the company had either overlooked or ignored elementary security practices. Those 6.5 million password hashes are still available, and are now a popular choice for security researchers to test password cracking tools.
There have been other privacy concerns with LinkedIn before too, again within the iOS environment. In the same timeframe as the password leak, it was shown that the company's iOS app, when integrated with the user's calendar on the device, was sending more data back to LinkedIn than necessary.
That brings us to the second concern: privacy.
Mining your data
There is no single more valuable source of information about most users than their e-mail accounts. One day social networks may claim that crown, but for now, e-mail is the centre of most users' digital worlds. When Google launched Gmail in 2004, it was a two-fold masterstroke. On one hand, Google gained new real estate to display ads to users, but far more valuable was its new ability to mine that wealth of data, all of which feeds back into the search giant's understanding of user behaviours and preferences, well beyond the e-mail interface itself.
LinkedIn and other networks know this full well, and they covet access to that data flow. Facebook's recent acquisition of Onavo.com will give the social network valuable analytics on users' Internet usage across browsers and apps, for example. With access to your e-mail, LinkedIn's ability to draw your social graph will grow exponentially. And with many users receiving e-mail notifications from Facebook, Twitter, Google+ and other networks, LinkedIn would gain unprecedented access to your engagement on other networks as well.
In LinkedIn's response to Intro's security concerns, a key point states: "When mail flows through the LinkedIn Intro service, we make sure we never persist the mail contents to our systems in an unencrypted form. And once the user has retrieved the mail, the encrypted content is deleted from our systems."
That point, and the rest of the statement, says nothing about metadata - the data generated from the analysis of the message and its content, and the data that holds the value to an entity like LinkedIn. There is zero chance LinkedIn is not creating, analysing and storing that metadata.
Intro is a clever demonstration of technology, but the implications for corporate security policies, compliance, personal privacy and potential outage are too great to ignore, even if you overlook LinkedIn's historic security woes, and even if you take the firm's "pledge of privacy" at face value.
Share