LinkedIn app gets a little too personal with iOS calendar

By Michelle Maltais

June 6, 2012 12 AM PT

Although much of the buzz about LinkedIn on Wednesday has been about an external breach of security, it seems that LinkedIn has been doing a little privacy breaching of its own.

The iOS app recently updated to make your calendar accessible to you within the app may do more with the information associated with your appointments than you know. The app syncs your calendar to seamlessly provide LinkedIn profile information about the people you’re scheduled to meet with.

Researchers Yair Amit and Adi Sharabani found that the app automatically sends your calendar entries, complete with meeting notes, back to LinkedIn’s servers, once you’ve enabled the opt-in calendar function. The team, which said it alerted LinkedIn about the issue, was planning to present the finding at the Yuval Ne’eman workshop on cyber security in Israel on Wednesday.

“While accessing this information locally by the app is not a problem by itself, this information is collected and transmitted to LinkedIn’s servers,” the pair writes in a blog post. “[M]oreover, this action is currently performed without a clear indication from the app to the user, thus possibly violating Apple’s privacy guidelines....The biggest problematic factor lies in the fact that most of the transmitted information is not required for the app’s functionality.”

The company defended the app’s process as necessary.

“In order to provide our calendar service to those who choose to use it, we need to send information about your calendar events to our servers so we can match people with LinkedIn profiles,” the company wrote on its blog. “That information is sent securely over SSL and we never share or store your calendar information.”

The data at issue really are what’s contained in the meeting notes field. Amit and Sharabani argue that there is no reason for LinkedIn to access and transmit anything from that field, such as meeting schedule, location or other defining or personal details.

“In order to implement their acclaimed feature of synchronizing between the people you meet and their LinkedIn profile, all LinkedIn needs is unique identifiers of the people you are going to meet with, not all the details of your planned meetings,” they wrote.

To that end, LinkedIn agreed in its post, although it also points out that none of your calendar content is tapped unless you opt in. As it discretely outlined what the app does and doesn’t do, the company included ts plan to rectify the issue.

“We will no longer send data from the meeting notes section of your calendar event,” the post read. And to cover better disclosure, “there will be a new ‘learn more’ link to provide more information about how your calendar data is being used.”

The changes, it said, are already live on Android and have been submitted to Apple for implementation.

LinkedIn investigating hack reports, 6.5 million leaked passwords

Follow Michelle Maltais on Google+, Facebook or Twitter