LinkedIn has released a new offering that is pretty cool, but with some security concerns that you should consider before signing up. The service is called Intro and when configured, it will replace your outgoing email server with an LinkedIn Intro server. This server will then add some code to the message that will provide your contact/marketing information in the body of the message. For you, this is an easy method to get your message out. For LinkedIn, this provides them with clear-text versions of your email messages from which they can target advertise in much the same way Google does. Targeted advertising is very lucrative to the service provider.
As you can see from the example above, your normal email will have your picture and other information from your LinkedIn profile inserted. There is a button that when pressed will provide access to additional profile information.
For some business folks, this is a very clever and useful method to get your personal message out. However, like many cool tech features, there is a downside. The rest of this post will describe how this done and what the implications are if you decide to use it.
To use this feature, your computer/device needs to be reconfigured to replace your outgoing email provider with LinkedIn as your new outgoing provider. The following diagram provides an overview of what a normal email data path looks like:
Normal email data paths
The protocol SMTP is used for outgoing email and IMAP is used for incoming. Both can be (and should be) encrypted, but it doesn’t have to be. Note that the link between the mail servers may or may not be encrypted, assume that it isn’t.
When LinkedIn Intro is configured, it will configure a new outgoing or SMTP link that bypasses your current email server. The good news is that this link is most definitely encrypted, though again when it leaves the Intro server on its way to the recipient, it’s clear text. This configuration looks something like this:
email data paths with Intro
The implications of this feature are interesting and should be fully understood before using it.
- Third party access to your messages — As noted, this feature will allow LinkedIn to have access to your messages. The contents will be in clear text as it must be to insert code into the message payload. LinkedIn promises that their access to this information is just long enough to perform the service. That’s good, though that could change in the future. However, it allows them to do the aforementioned targeted advertising which to be fair, they’ve not stated that they will be doing.
- Adding yet another third party to your email trail — LinkedIn is a huge target for hackers and malware providers. LinkedIn is providing significant security, though there is some concern about the data transiting between their servers. Some of their servers are using SSLv2, which is known to provide weak encryption.
- Problems with corporate email policies — If you are in a mid to large sized business, your company probably has a set of network and email policies in place. These policies usually prohibit using unapproved third party services, especially with email. Most businesses run email in such a manner that all internal emails never leave the corporate network (or the network of their Cloud provider). This has the potential of breaking that, which could put you at odds of these policies. This could have legal and job implications.
So what to do? Personally, I’ll not be using this feature. I don’t see the benefits to warrant the concerns. From my perspective, the fewer parties having access to my email the better. One exception to that is my Gmail account (which I use for very little). Google already reads my gmail messages for targeted advertising, so its less of an issue. However, I never use gmail for any messages that are in the least bit sensitive.
For more information on Intro, see the following:
- LinkedIn Intro
- Blog entry by Cory Scott, Sr Manager of Information Security at LinkedIn — This entry describes the security measures taken with Intro.
- An Introspection on Intro Security by Bishop Fox — Bishop Fox is a security expert who first raised security concerns with this offering. Since his initial blog entry, he has worked with Cory Scott to get clarifications to the service, which he describes.
Some of my previous postings on email and messaging: