Editor’s note: Please see amendment notice at the bottom of this article.
LinkedIn users are showing concern today as it comes to light that the business network will access a user’s Gmail contacts if the user has a Gmail session and a LinkedIn session open in the same browser – and LinkedIn has confirmed that there is currently no way to turn off what it refers to as the ‘auto-authorization’ that lets this poaching occur.
Scientist Forrest Abouelnasr published a digest of his conversation with LinkedIn support after he began to notice impossible associations cropping up on his LinkedIn page:
‘I’ve never knowingly given linkedin permission to access my gmail contacts, but it keeps suggesting I connect on linkedin with people whose only connection to me is messages through gmail – and it usually happens suspiciously right after I send and receive a few emails from that person. This behavior has in the past included people whom I know do not have a linkedin account, since it suggests that I “invite them to linkedin” – which means the other person cannot be allowing linkedin access to their emails, it must be through my linkedin account.’
LinkedIn’s initial response to Abouelnasr suggested that he may have been unaware of the ramifications of sending invitations and using features which he had, in fact, not used – and the explanation didn’t seem to add up.
On further investigation, the same representative looked further into the matter and discovered that this ‘infection’ between Gmail and LinkedIn is by design:
‘What you have encountered is that the people you may know could have been uploaded to LinkedIn through auto authorization if you had at any time your LinkedIn account open and accessed any of your emails through the same browser…In order from preventing this from happening again, you will want to be careful to not open up your personal email address in the same browser when you have your LinkedIn account open.’
When Abouelnasr asked how he could revoke this ‘auto-authorization’, he was told:
‘There is not a setting to specifically turn this feature off. The only way to truly prevent this from happening again is to open up those items in separate browsers. We are not doing this to invade your privacy, we are doing this to assist you in growing your network. We don’t share this information with anyone else and is particular to your account only.’
This case is of particular interest to me, since I have been trying to get a response from Facebook for some time over exactly the same issue – that people I have only ever connected with via Gmail and never even looked up on Facebook have begun appearing as friend recommendations.
At a technical level this kind of cross-site cross-pollination is quite achievable with the technical resources available to the major players concerned – supercookies, canvas fingerprinting, and global cookies acting as cross-site intermediaries all offer the possibility of breaking through a website’s sandbox. But since both Gmail and LinkedIn use secure (https) protocols universally, it would be interesting to know the mechanics of this particular type of data heist. And it is hard to see how cookie-style data could deliver a complete contact list without a dedicated API to facilitate it.
It is worth noting that ‘auto-authorization’ is surely a contradiction in terms..?
UPDATE: LinkedIn deny that the behaviour described in this article can occur without the user’s authorisation, but only if the user goes into the address book import page and grants permission for LinkedIn to access Gmail contacts. Details about this are here. Though Forrest Abouelnasr has apparently retracted his initial complaint, it is currently only available via a Quora page which requires the reader to log in, which we are not willing to link to in its current state. We will add that link if it becomes freely viewable.
Hopefully we’ll eventually get the same level of clarification one day regarding the mysterious cross-pollination between Facebook and other Gmail.