Just had to do some experimenting...it's using OpenID and yes, it tells you it wants access to your contacts (of course...that's why you'd have opted to do that, right?) BUT the UI is very misleading--it's easy to send invites you didn't mean to send in that initial session, and worse, there's nothing that would suggest to users that if you give LinkedIn access in this way ONCE, it will continue to have access until you revoke its access in Google.
It's using OpenID to sign into Gmail when you give it a new email address (which I just did...to a Gmail account I use rarely and has only one contact I just planted in there). So it's actually launching a window to Google where you type your username and password. Then you're told LinkedIn would like to "view your email address" and "manage your contacts" (still by Google). Hit accept and...it's still showing me my contacts from my original Gmail account. Clearly I need to revoke LinkedIn's permissions there.
So really, the problem is that LinkedIn leads you to believe that it's only looking at your address book during that one event when you're guiding the process, when actually you're giving it permissions via OpenID. (My bad for not remembering/realizing that...did I mention I was also watching TV?...but at least I know what's going on now. And it never occurred to me that I needed to revoke their access to my contacts--I was dealing with the immediate fallout of LinkedIn-spamming a whole lot of people.)
I'm going to monitor the contact email I planted to see whether they ever send anything to it.
This was well over a year ago--that was my recollection but it may in fact be wrong. (In fact, now I think it was--more on that in a second.) There is an explicit "we're not storing your password" statement...and in fact now I think I never did provide my password. (I guarantee if I did, I changed it immediately after.)
I just clicked the current "Connect with Gmail" link simply to see what language they use--was NOT going to give it my password but my email address is autofilled. Lo and behold, on the next screen MY CONTACTS ARE SHOWING UP. WTF?
Next step in experiment...opened LinkedIn and logged in using Chrome Incognito mode...click Connect with Gmail--again, CONTACTS SHOWING UP. I did have an open Gmail window in Chrome (not Incognito) so logged out of that and repeat with LinkedIn. *STILL* see the contacts.
I'm actually going to experiment more with this to figure out what they're doing, but this is far worse than I thought.
This is a case of confusing UI defaults, I think, but given that *I* also got caught by it (and was mortified), even though LinkedIn isn't "hacking" anybody, I don't have a lot of sympathy for them (LinkedIn--have enormous sympathy with the users, even though I suspect their case won't stand up in court).
Here's what I think happened to me (as best I can remember...I'm not about to try to reproduce it): Yeah, sure, look for my contacts (provide Gmail username/password...all assurances are given they won't email anyone without your permission blah blah). LinkedIn shows you a list of a few dozen (IIRC) contacts in a frame (possibly those you most recently exchanged email with?); I deselected all of those and then carefully went through and selected a very small subset I actually wanted to "connect to." Once I've done that, I hit submit (or whatever) and get some confirmation, "We're going to send the invite, okay?" Yeah, sure...it's only sending to a few people, right? SOMEWHERE on that confirmation (again, IIRC) is a checkbox that alludes to the fact that, oh? All the contacts you DIDN'T unselect--IN YOUR ENTIRE CONTACTS LIST--are gonna get an email. Got to the next screen and it said something like "200 emails sent" and the expletives flew. (I can see missing that message...it was small.) Of course I was doing this process while I was watching TV or something--it didn't have my full attention--but the behavior was SO counter to my expectations of opting-in I was floored.
I can see why users would think LinkedIn "stole their contacts when their email was left open"--they're thinking that subset-selecting frame is the only time LinkedIn is (transparently) accessing their account (and therefore shouldn't do anything with contacts that don't appear in that frame, which makes sense in terms of user expectation).
Slashdot Mirror
100% agreed.
Wow. That's appalling.
Just had to do some experimenting...it's using OpenID and yes, it tells you it wants access to your contacts (of course...that's why you'd have opted to do that, right?) BUT the UI is very misleading--it's easy to send invites you didn't mean to send in that initial session, and worse, there's nothing that would suggest to users that if you give LinkedIn access in this way ONCE, it will continue to have access until you revoke its access in Google.
Okay...more testing.
It's using OpenID to sign into Gmail when you give it a new email address (which I just did...to a Gmail account I use rarely and has only one contact I just planted in there). So it's actually launching a window to Google where you type your username and password. Then you're told LinkedIn would like to "view your email address" and "manage your contacts" (still by Google). Hit accept and...it's still showing me my contacts from my original Gmail account. Clearly I need to revoke LinkedIn's permissions there.
So really, the problem is that LinkedIn leads you to believe that it's only looking at your address book during that one event when you're guiding the process, when actually you're giving it permissions via OpenID. (My bad for not remembering/realizing that...did I mention I was also watching TV?...but at least I know what's going on now. And it never occurred to me that I needed to revoke their access to my contacts--I was dealing with the immediate fallout of LinkedIn-spamming a whole lot of people.)
I'm going to monitor the contact email I planted to see whether they ever send anything to it.
This was well over a year ago--that was my recollection but it may in fact be wrong. (In fact, now I think it was--more on that in a second.) There is an explicit "we're not storing your password" statement...and in fact now I think I never did provide my password. (I guarantee if I did, I changed it immediately after.)
I just clicked the current "Connect with Gmail" link simply to see what language they use--was NOT going to give it my password but my email address is autofilled. Lo and behold, on the next screen MY CONTACTS ARE SHOWING UP. WTF?
Next step in experiment...opened LinkedIn and logged in using Chrome Incognito mode...click Connect with Gmail--again, CONTACTS SHOWING UP. I did have an open Gmail window in Chrome (not Incognito) so logged out of that and repeat with LinkedIn. *STILL* see the contacts.
I'm actually going to experiment more with this to figure out what they're doing, but this is far worse than I thought.
This is a case of confusing UI defaults, I think, but given that *I* also got caught by it (and was mortified), even though LinkedIn isn't "hacking" anybody, I don't have a lot of sympathy for them (LinkedIn--have enormous sympathy with the users, even though I suspect their case won't stand up in court).
Here's what I think happened to me (as best I can remember...I'm not about to try to reproduce it): Yeah, sure, look for my contacts (provide Gmail username/password...all assurances are given they won't email anyone without your permission blah blah). LinkedIn shows you a list of a few dozen (IIRC) contacts in a frame (possibly those you most recently exchanged email with?); I deselected all of those and then carefully went through and selected a very small subset I actually wanted to "connect to." Once I've done that, I hit submit (or whatever) and get some confirmation, "We're going to send the invite, okay?" Yeah, sure...it's only sending to a few people, right? SOMEWHERE on that confirmation (again, IIRC) is a checkbox that alludes to the fact that, oh? All the contacts you DIDN'T unselect--IN YOUR ENTIRE CONTACTS LIST--are gonna get an email. Got to the next screen and it said something like "200 emails sent" and the expletives flew. (I can see missing that message...it was small.) Of course I was doing this process while I was watching TV or something--it didn't have my full attention--but the behavior was SO counter to my expectations of opting-in I was floored.
I can see why users would think LinkedIn "stole their contacts when their email was left open"--they're thinking that subset-selecting frame is the only time LinkedIn is (transparently) accessing their account (and therefore shouldn't do anything with contacts that don't appear in that frame, which makes sense in terms of user expectation).