There was a time when LinkedIn would often require you to re-enter you login details, seemingly at random. Login details consist, of course, of your email address plus a password, and so if you used the site much you kind of got used to entering them in every time they were requested.
The login form, unsurprisingly, looked very similar to the one suggesting that you give LinkedIn your email address plus you email account password. When I first noticed this, I thought that, for people who re-use passwords, this was an accident waiting to happen. I'm sure people must have been caught out by this.
I was very tempted to submit this to darkpatterns.org, but the first part of the pattern (frequent re-authentication) doesn't happen any more.
I'm the same -- I never allow websites to riffle through my contacts, and would certainly never give up access to my email account to do it.
However, mobile apps have a much easier time of it. Looking at the contacts stored on one's phone is just one of the many permissions they request, and users are conditioned to just click past that screen anyway.
I never would either. Problem is, it's possible I may have accidentally done it in the past, possibly when I was tired and thought it was about something else.
Did I? Can I undo it? No idea. Linkedin is quiet about it, and it looks like it can't be undone.
Once information has been transmitted away from your device, it can never be undone. At best you might stop it from sharing future deltas, but once somebody has your data they will always have it as far as you can ever know.
This question ("...but ever?") is a good one. How many people balk at sharing their contact list with LinkedIn, and yet install apps from LinkedIn and also WhatsApp, Facebook or PayPal on their phones, all of which access the contact list anyway?
I'd never install such apps. I once had the Facebook one, long, long ago, but nuked it when the update wanted mic/camera access (and now it wants to read people's SMS on top of that...).
This probably indicates a dark pattern at work ( http://darkpatterns.org/ ) - it was presented as a quick, default and normal action and/or of little consequence, when actually it's quite invasive.
You said that Linkedin would "scan your contacts to see if those people are on LinkedIn" and this is likely what it is presented as, but actually that information might be retained indefinitely and may be used for other purposes that are thought up later. But hey, it's just metadata, right?
The LinkedIn Android App will periodically ask to scan your Google+ contacts for people you might know on LinkedIn, so if you've ever used that you could have leaked contacts to them that way.
I never gave them password to my gmail account, and yet they somehow harvested an email I never used for anything. I wrote about it here: https://news.ycombinator.com/item?id=6935606 . I suspect they stole it from my phone when I installed LinkedIn app (never do it).
As well as being a stupid thing to do, it is usually also a break of the agreement between the user and their mail provider. These usually have a clause stating that you agree to never share your credentials with a 3rd party except where required to by law.
Yeah, and it's really, really bad form on the part of the company to ask for credentials from another service. Not sure why people have accepted this as a "standard" kind of practice when it comes to email accounts (of all things).
Honestly, it's a pity that one of the big email providers doesn't just tell LinkedIn that if they continue to solicit email passwords, especially for the purpose of inducing people into accidentally spamming their entire address book, LinkedIn signup emails will be heading to their users' spambox by default.
(Granted, Google has to be pretty careful about how they act towards rival social networks)
I wouldn't say it was a legal requirement (as a lot of such things have not been tested in court) but I've seen it in a few places, usually in the section about you being responsible for anything that happens with your account.
I think it could be easy to do this accidentally. From the main linkedin page, if I save my username and password (which is my email) the linkedin page automatically fills in the login/password box when I revisit the site.
It also has a separate username/password box for giving it access to your email address. I have never used this feature. However when I visit the site it fills in the second box with the same username and password.
If I used the same password for linkedin and my email account, saved my linkedin password, then all I would need to do is accidentally click the wrong button to send them my email credentials.
I wonder why haven't mail providers implemented a "single time password, only for websites to peek on the contacts list" feature; I presume it's because the concept itself is broken.
They have, it's called OAuth, and it doesn't involve giving sites passwords at all.
OAuth stands for Open Authorisation, not Open Authentication. While OAuth2 is often used for authenticating against other services, it is designed about authorisation, the ability to give other sites the ability to see info from your email account. Usually permissions are set at a modular level, so you could give sites to see who your contacts are, or your contacts and full name, etc.
Hand my contacts list to a website? No thank you. When is letting a website have this a good idea, not just Linkedin, but ever?