When it comes to privacy and social media platforms, LinkedIn is the necessary evil we have to put up with. While it’s a no-brainer to delete your Facebook account, but as so much of job recruitment revolves around LinkedIn, it’s a lot harder to severe ties with it. Many companies don’t even post their career opportunities anywhere else than on LinkedIn, and prefer applications that come directly through the platform. It’s also a great tool for headhunters to find suitable candidates.
So let’s assume you have a LinkedIn profile, you want to build up your online resume and personal brand, and want to be able to jump on an opportunity if it presents itself. However, you can accomplish all that without revealing every aspect of your professional self for the whole world to see by default. Let’s start of with LinkedIn settings and then move on to behavior on the platform, and other tips.
Viewers of this profile also viewed: No, for two reasons. First, you don’t want to redirect potential recruiters to other profiles. Second, there’s a lot of fake and other unwanted profiles (sex workers and such) that you don’t necessarily want to be promoted in your profile page.
I’d avoid syncing anything with LinkedIn.
Partners & services
Review what accounts you’ve connected with LinkedIn. Less is more.
Email addresses: No need to have more than one. Delete old ones, at least.
See two-step verification. Do not add.
Change password: LinkedIn suffered a massive data breach in 2012. I’m assuming you’ve changed your password since, but with a password manager, it’s not a big deal to change it again. Use a strong, unique password.
Where you’re signed in: it’s basic security hygiene to every now and then log out of all your active sessions.
Devices that remember your password: if you’re using a password manager – as you should – this should have 0 devices.
unfortunately, LinkedIn supports only SMS-based 2FA. It’s still better than nothing, so enable it. Enable and use Authenticator app option. Remember to store your recovery codes safely (in your password manager, for example).
Visibility of your profile & network
Profile viewing options: Choose “Private profile characteristics” or “Private mode”.
Story viewing options: Choose “Private profile characteristics” or “Private mode”.
Edit your public profile: This actually opens another page, full of settings to tinker with.
- Custom URL: best to make one and thus “own” it
- Your profile’s public visibility: this guide is written on the premise that your profile is public.
- Profile photo: only your network.
- Rest of the settings I’ve selected in a way that if a person (who I know or have met in person) searches for my profile, they will be able to identify the profile belonging to me. Meanwhile, for random people the profile is just, well, a random profile. You don’t need to boast with your job experience and education to every stranger.
Who can see or download your email address: LinkedIn recently added the “or download” part to this setting. At least they’re being more open about this, finally. There’s two settings in here. First, who can see your email address. I’d suggest keeping it visible only to you, or 1st degree connections. Do you really need to share your email address, if connections who don’t already have that can still reach you via LinkedIn’s own messaging system? Important thing here to note is that if someone can see your email address, “they will be able to contact you directly“. Second setting asks for your permission for the email address to be shared in data exports. That’s a strong No.
Who can see your connections: Connections are never fully public, they are visible either to just you or your connections. No matter which setting you select, your 1st-degree connections will always be able to see shared connections. By default, advertisers can serve ads specifically to the connections of a company’s employees, but advertisers can’t see these connections (except to the extent they may be personally connected to you, as described above). To stop advertisers from serving such ads to your connections (to the extent they are not also the connections of other employees at your company), select the Only you setting.
Who can see your last name: It’s trivial to find your full name with all the other data you have on your profile, so I don’t see a reason to limit the visibility of your last name only to its first letter.
Representing your organization and interests: Up to you, but I see this as a useless profile leak.
Profile visibility off LinkedIn: “Should we show information from your profile to users of permitted services such as Outlook?” Hell no. More information here.
Manage who can discover your profile from your email address: Nobody.
Manage who can discover your profile from your phone number: Nobody.
Visibility of your LinkedIn activity
Manage active status: No one.
Share job changes, education changes, and work anniversaries from profile: No.
Notify connections when you’re in the news: No.
Mentioned by others: This might be useful. At least it helps to know what others write and expose about you.
Followers: Your connections.
These settings are not necessarily related to privacy or OPSEC, but I suggest going through these anyway. Here’s a couple to look at.
Email: Not necessarily related to privacy or OPSEC, but I want to highlight this, because LinkedIn has once again changed the way they send email. I had not received any emails from LinkedIn since I first created this article, but now over a year later I suddenly got some type of a “digest” newsletter. Long story short, re-check these settings.
Messages: Don’t allow Sponsored Messages.
Read receipts and typing indicators: Off.
Reply suggestions: No. This doesn’t mean your messages wouldn’t still feed this machine learning system, but there’s no need to participate willingly either.
Manage your data and activity: Take a look at this. Through this list I learned that even if you delete your phone number, it just disappears from your profile – LinkedIn still keeps it in their database.
Get a copy of your data: If you’re on the fence whether or not to bother following this guide, download this data set and see if it sways your opinion.
Salary data on LinkedIn: Don’t submit salary data.
Search history: Can only be cleared, but you can’t stop it being collected.
Personal demographic information: No. LinkedIn doesn’t need this data and they will use it for targeted advertising. They also use this to “provide aggregate data to companies about the diversity of candidates engaging with job posts or appearing in candidate searches, to assist companies in their efforts to recruit more diverse teams.” In other words, they support discriminating hiring practices where candidates are chosen based on their sex, not based on their merits and skills. Do NOT give out your demographic information. If a company values diversity of superficial features over diversity of thought, do not apply to such company.
Social, economic, and workplace research: No.
Job seeking preferences
Job application settings: Off. Might be useful if you’re actively applying for jobs.
Sharing your profile when you click Apply: Yes. At least for me this is literally the reason why I have a profile in the first place.
Commute preferences: Absolutely no need to populate this data.
Signal your interest to recruiters at companies you’ve created job alerts for: Sure, if you’re actively looking for jobs.
Stored job applicant accounts: This is about storing third-party job applicant accounts on LinkedIn. No need to do so.
Permitted services: Less is more.
Microsoft Word: No.
Profile data for ad personalization: No.
Interest categories: No.
Data collected on LinkedIn
Companies you follow: No.
Job information: No.
Audience insights for websites you visit: No.
Ads beyond LinkedIn: No.
Interactions with businesses: No.
Ad-related actions: No.
Suggested reading: LinkedIn’s Data Protection for Probabilistic Identity Inferences
Fake invites, LION, and managing your network
You are a target. Even if you’d not consider yourself to be especially interesting, your profile is still a way in for scammers and other adversaries to gain more credibility within your company and LinkedIn network. These accounts are used for phishing and especially spearphishing C-level targets, as well as for sending malicious URLs via InMail. LinkedIn is just as riddled with fake accounts as Twitter or Facebook, make no mistake about it.
These fake profiles might use e.g. your company’s public event as an excuse to send you a connection invite. If the contact request appears to come from within your company, ping the person and ask if they have sent it (also doubles as a check-up to see if that name can be found from your IM system). Another easy way to start assessing an account’s credibility is to do a simple reverse-image search of their profile picture. Unfortunately, there’s no one easy way to telling if an account is fake or not, but if you’re convinced about the fakeness, please report them to LinkedIn. Personally I only accept invites from people I have actually interacted with, preferably face to face.
LION, or LinkedIn Open Networking, is a phenomenon where self-identified LIONs try to amass as big of a LinkedIn network as possible by both sending a lot of invitations and accepting also pretty much any invitation. Generally, these people have thousands or tens of thousands of connections. Do not accept any invites from LION profiles. If I’m doing OSINT on LinkedIn, I try to connect my sockpuppet with as many LIONs as possible, because that greatly expands the LinkedIn search capabilities (and usefulness), as others’ profile visibility increases. Getting connections this way is also a fast way to increase the credibility of a sockpuppet.
And once again, do not sync your address book with LinkedIn. LinkedIn has had several different ways to trick users to do so in the past, so think twice when LinkedIn asks for your email address and/or extra permissions.
To wrap things up, few words about OPSEC in LinkedIn publishing. Once again, common sense goes a long way: don’t post pictures of your new and shiny ID badge, don’t share confidential material (those labels are there for a reason), and generally you don’t need to share details of the tools you use or IT infrastructure you have. By the way, this same advice goes for recruiters: don’t post your full tech stack in job ads! (H/T @Notquiteyou for that one.) Let’s at least make our adversaries’ lives a bit harder when they are doing their recon, instead of giving everything on a silver platter. There’s not a single role in any company that couldn’t contribute to this.
You don’t need to share pictures of your workstation or your working area in general. If you want to publish photos of your company, the lobby or outside the premises is a lot better option.
Remember: you’re not just a target, you’re an attack vector towards people who trust you.
If you want to go deeper, here’s a list of the best online privacy guides.
This guide is part of my social media hardening series. You can find more articles like this from this category.