I have a long-standing gripe with LinkedIn for the aggressive harvesting of contacts from their users. I use LinkedIn to a limited extent for professional connections, but I’m always careful to keep it separate and isolated as much as possible, for example by not allowing LinkedIn apps onto my mobile devices. When Microsoft acquired LinkedIn last year I was curious and concerned about how they would make use of LinkedIn’s data, or vice versa. In her analysis of the deal, Mary Jo Foley wrote:
The reason Microsoft was willing to spend so much to acquire LinkedIn was for its data and algorithms. By combining Microsoft’s evolving knowledge graph with LinkedIn’s professional graph, Microsoft would be able to “make professionals more productive.” Microsoft’s graph is a collection of information pertaining to entities like contacts, messages, calendar entries and documents. LinkedIn’s graph centers around entity information regarding jobs, co-workers, learning, prospects and recruiting/hiring.
The suggestion that data sharing could occur between Microsoft and LinkedIn certainly raises some questions. So this discussion on the Microsoft Technical Community very quickly caught my eye.
Today I noticed that LinkedIn has been granted permission to share my “profile and connection data” on my AAD profile page. I don’t remember having authorized LinkedIn to do so.
The profile page they are referring to is found here. On my profile I can see the following entry:
Allow LinkedIn to share your profile and connections data so that Microsoft can use it to customize features in Microsoft applications.
Update 25/8: Microsoft has responded to say the following:
We identified a bug in the profile user interface that incorrectly displayed a settings control for a feature that is not available. No permissions were granted. The option is not functional and there is no effect if you attempted to take action. We’ve rolled back the UI changes and removed the button.
While that addresses what we saw in our Azure AD profiles, it still raises the question of what exactly is going on behind the scenes. After all, someone designed that UI element, wrote the wording for it, and released the code. They wouldn’t be doing that for a non-existent feature. I am leaving the remainder of my article below intact for completeness.
First of all, I’m not aware of any announcements about the addition of that permission to our Azure AD accounts. But I assume it has appeared sometimes after the LinkedIn acquisition was formally completed in December 2016.
Secondly, it’s curious that this permission appears in Azure AD, but the wording is that it allows LinkedIn to share your profile and connection data with Microsoft. That wording suggests that the data sharing is in the direction from LinkedIn to Microsoft. Which means that the permission should actually be granted within LinkedIn, not Azure AD. But a quick check of my LinkedIn security and privacy settings reveals no such permission has been granted.
Thirdly, the permission seems to exist regardless of the LinkedIn usage of the user. I happen to use LinkedIn with my work email address, but many people do not. As noted in the discussion here, people who do not have their work email in their LinkedIn account still see the permissions entry. I have also checked the Azure AD profiles of accounts in my demo tenant that definitely do not have LinkedIn accounts, and the permission appears there as well.
Finally, this permission seems to be separate to the LinkedIn contact sync that is available for Exchange Online users, and that is controlled using OWA Mailbox Policies.
Aside from that, you could argue that we all agreed that Microsoft would get our LinkedIn data to use as they see fit.
Even so, nobody likes surprises when it comes to privacy. Better disclosure would be appropriate, especially if a vaguely worded permissions entry is going to be visible to users and admins in Azure AD.
So, what’s the story? When did the permission appear in Azure AD, and who consented to adding it to all accounts by default? Why doesn’t an equivalent permission control appear in LinkedIn? What data is being shared between the services, and for what purpose? To “customize features in Microsoft applications” is not at all informative. What specific benefits are we seeing from this data sharing?