LinkedIn has confirmed researcher claims that the calendar integration feature in its mobile apps sends complete details about people’s upcoming meetings back to the company’s servers, and it has updated the apps to limit what’s being collected.
Back in April, LinkedIn added an opt-in feature to its iOS and Android apps that uses calendar event details to identify the LinkedIn profiles of individuals with whom users of the apps are scheduled to meet.
Researchers from security vendor Skycure Security have analyzed how this feature works and found that LinkedIn’s iOS app doesn’t only inspect calendar meeting details locally on the device, but actually sends the information back to LinkedIn’s servers.
This poses a serious privacy risk because some of the collected information can be highly sensitive. For example, calendar meeting notes tend to include conference call numbers and passcodes, Skycure co-founder and CEO Yair Amit said in a blog post on Wednesday.
“In order to implement their acclaimed feature of synchronizing between the people you meet and their LinkedIn profile, all LinkedIn need is unique identifiers of the people you are going to meet with, not all the details of your planned meetings,” Amit said. “Details such as meeting schedule, location, title or notes, which tend to be sensitive in particular for organizations, are irrelevant for this task.”
In addition, the LinkedIn app does not provide clear notification to users that their calendar event details are being sent from their devices. This is possibly a violation of Apple’s privacy guidelines which state that apps can’t transmit user data without obtaining user consent and providing information to users about how and where this data will be used, Amit said.
Joff Redfern, LinkedIn’s head of mobile products, confirmed that the company’s mobile apps send complete meeting details from users’ calendars back to its servers, if they opted into the feature. That information is used to make LinkedIn’s profile matching algorithm increasingly smarter, Redfern said in a blog post on Wednesday.
Calendar data is sent to LinkedIn’s servers over Secure Socket Layer (SSL) connections, but the data is not stored on the servers and is not used for purposes other than profile matching, Redfern said.
In light of the privacy concerns raised by Skycure’s researchers, LinkedIn has decided to stop collecting calendar meeting notes and to add a “learn more” link inside its mobile apps to provide detailed information about how calendar data is being used.
“These improvements are live on Android now and have been submitted to the Apple store and will be available shortly,” Redfern said.
Users who previously enabled the calendar integration feature, but no longer want their calendar details to be shared with LinkedIn, can turn the feature off from the app’s settings. The calendar integration will remain an opt-in feature, Redfern said.