The American View:  Why Do People Keep Posting Proprietary and Classified Information to LinkedIn?

Cybersecurity pros love to lecture their users about the dangers of over-sharing sensitive information. “Criminals read everything you post,” we warn, “and they use that information to craft convincing phishing attacks. Don’t post sensitive things online!” That’s technically true, but it’s not useful advice because it doesn’t factor why people over-share. If we don’t address the “why” factor first, we’re not going to convince anyone to change their risky behaviour.

As an example: you have a LinkedIn profile, don’t you? It’s a near certainty. This column is posted on Business Reporter, which suggests that most of my readers have at least some interest in, connection to, or place in whatever passes for modern “business” (i.e., “an occupation, profession, or trade”). It’s accepted protocol that if you’re in business, you advertise yourself on Microsoft’s business-themed social media platform. It’s where you go to make it known that you want a new gig, then where you to go to brag about your new gig (a cycle that we’re all expected to repeat endlessly over what passes for a “career”).

So, LinkedIn must be great, yeah? Everyone’s who’s anyone in the corporate world is there! It must be the hippest and most happening place around. Everyone gets a ton of value from it. At least, that’s what all the adverts telling me to upgrade to “LinkedIn Premium” claim …

Yeeeeeeaaaaaah … about that … As useful as LinkedIn is (and I don’t dispute that the site has value), it’s important to remember that LinkedIn is, at its heart, a social media platform. It’s operated to make a profit. Per this 2019 article from Investopedia: “According to LinkedIn’s quarterly SEC filings, the professional networking site makes money through its talent solutions, marketing solutions, and premium subscriptions – in other words, by selling advertising, recruitment services, and membership privileges.”

The aphorism “follow the money” always applies.

Facebook makes money selling ads that appear in between fake news stories. Twitter makes money selling ads that appear in between threads of trolls brutally harassing women. LinkedIn makes money with sponsored content, sure, but it appears that most of its revenue (about two-thirds worth, per the above article) are made by selling recruiters access to its users.

To be clear, I’m not suggesting that there’s anything wrong with that business model. LinkedIn isn’t doing anything shady; they’ve always seemed quite open about how their operation functions. What I am suggesting is that it’s critical for us in security to remember that LinkedIn is a social media platform first and foremost. That means it’s designed, operated, and optimized to keep its users coming back.

The more users post about themselves, the more other users will consume their content and respond to it. This, in turn, triggers even more traffic that keeps users glued to their phones, excited to see what’s next. That “engagement” directly serves those recruiters who are paying LinkedIn to “find talent” as well as those companies who post jobs on the site for the same reason. For LinkedIn to be a destination platform, it needs to be “sticky” … that is, once a user logs on, they’re incentivized to spend time there. They feel a need to participate. To take advantage of all that the platform has to offer … which eventually becomes paid premium services.

I see it every day. I only post one article each week on LinkedIn (including this one!), however I get an average of 12 notifications every day telling me about new content that people “in my network” have posted. I receive anywhere from 1-10 new “connection requests” from people I’ve never met wanting to “join” my network to boost their own profile status. I receive 3-4 new direct messages from salespeople and recruiters every week who didn’t bother to read anything on my profile. The site sends me weekly “alerts” that “95 people viewed your profile this week” and reminds me that if I just gave them a few hundred quid I could be allowed to know who those people were!

“But what if one of these mystery views came from the Pope? Or the Prime Minister? Or Dua Lipa? How must I reinvent my online presence to make these anonymous strangers think favourably of me? AAAAAAUUUGH!”

This is what social media platforms do. They let you join for free, then bombard you with good reasons why you should participate more, engage more, and – most importantly – pay more for the privilege. This is what all social media sites do, even the platforms that pretend they’re not social media. Take for example … online dating sites.

I was chatting with a young fellow at the pub a few nights back. He told me he’d just returned from a date. His introductory dinner to a new “match” went well; it just didn’t last very long. Still, he considered the dinner a success given his massive investment of time, attention, and money in the online dating site he and his “match” were using. That sparked my interest as I’ve never used dating apps; I asked the fellow a ton of questions about his experience.

“Dating apps are abusive and addictive.” He complained. “I hate them. They keep you stressed out, feeling like garbage, and terrified of FOMO. [1] You spend hours scrolling through your feed, throwing ‘likes’ and comments into the void with no response. You agonize over tweaking your profile to be more attractive to others but you never get any feedback on what exactly in your profile might have turned someone off. But you can’t stop, because there’s no other way to meet people outside of your tiny social or work circles, especially during the pandemic.

“I’ve used a bunch of different dating apps,” he said. “They’re all the same and they’re all useless. They promise that ‘finding someone special’ is just around the corner if only you stick with it or ‘up your game’ with a ‘premium boost’ so that your profile appears more often in other users’ feed so you stand out.

“Online dating apps are habit forming,” he concluded. “Using them creates a spike of fear that you’ll be alone forever so you pay for ‘upgrades’ to avoid missing out on ‘the great opportunity.’”

Romantic comedies have poisoned much of the world’s adult population into believing that one’s “soul mate” can be discovered, wooed, and brought into a committed relationship in just 90 minutes if only one can arrange a “meet-cute.”

Sounds awful, doesn’t it? Kinda makes you wonder if the entire online dating app ecosystem is built on the cynical and sadistic exploitation of vulnerable customers. As Omar Aboulezz wrote for the Harvard Busienss School in his 2016 essay Exploitive Platforms: How Tinder Exploits Lonely Men to Make MASSIVE Profits:

“[Dating app] Tinder sells users a fantasy, a hope that maybe if they just purchase this premium feature or service maybe they will find the one. The claims about getting up seen by 10x more profile views, or up to 3x improvement in matches, when examined empirically means that many users still get almost no benefit from these features/services. The ease of use of the application to purchase said services acts as an almost gamification, that facilitates the microtransactions that create the app’s wild profitability. The app explicitly and almost exclusively preys on lonely men. … This is the grim reality that the Tinder platform has created.”

So … what does all this have to do with my opening premise? Consider for a second just how much LinkedIn has in common with dating apps:

  • They’re social media platforms first and foremost. Their business model is built around keeping users engaged. Their “stickiness” comes from a constant stream of algorithmically filtered content that’s optimized to make customers feel inadequate when contrasted with other users
  • The more they can get their users to return and participate, the more they stoke their users’ “sunk cost fallacy” as a way of blaming the user for the service not working as advertised
  • That feeling of almost making it while other users are shown to be making it convinces the customer that the problem is with them, not with the site itself. If they only strive a bit harder, they’ll surely succeed like all these other satisfied customers
  • They encourage users to ‘upgrade’ their experience with paid premium services; the ‘best results’ simply can’t be had with the basic, free version of the service
“You can do it, mate! I upgraded to the ‘platinum service’ with the change I got panhandling and now I’m married to a supermodel! Also, I’ve just been made the shadow minister for BREXIT logistics.”

But wait, I can hear you exclaim, LinkedIn is a business site, not a dating site. It works on a totally different model with different goals, right? Um … no. Social media is social media; user relationship brokering works on the same neuroscience and business tactics regardless of whether you’re shilling romance or career progression. These sites “sell” future happiness (or an improvement in your quality of living) if you participate. The apps are free, but if you don’t pay for the “premium services”, you won’t get all the theoretical benefits the site offers.

At its heart, every social media platform employs psychological manipulation to keep its users playing along. Often, this practice has alarming negative effects. Instagram is horribly corrosive to young women’s self-esteem. Facebook is horribly corrosive to democracies. Dating sites are horribly corrosive to users’ mental and emotional health. LinkedIn, by comparison, is far less harmful to its users than most other types of social media; it’s certainly entire orders of magnitude less harmful than Twitter, but that doesn’t mean using it is entirely harmless.

LinkedIn bombards its users with notifications about what a user’s “connections” are up to: the articles they’re written, the promotions they’ve receive, the award they’ve celebrated, the course they’ve completed … all the events that a businessperson would brag about if they could do so without seeming gauche. At the same time, they constantly intimate that more prestigious and more lucrative “opportunities” are just a click away. The site makes people feel celebrated one minute and inadequate the next.

While LinkedIn might claim that they’re trying to share professional news in a positive, affirming manner, their technology is no different than other social media sites showing off other people’s lavish lifestyles, dazzling fashion, gourmet meals, hot new paramours, etc. Social media updates are designed to stoke a user’s fear of inadequacy; to make their users feel envious, jealous, and anxious at all times. That, in turn, influences the demoralized users to post their own exaggerated accomplishments to try and “keep up.” This, in turn, motivates their friends to one-up them, creating a vicious cycle of despondency- jealousy-desperation-exhilaration-despondency.

It’s like hiring the same person to be both your life coach and your tormentor at the same time.

See it now? The addictive design of social media, fuelled by an unrelenting algorithm that cheery-picks posts that maximize emotional manipulation, compels its victims (er, users) to pace themselves (and their lives) against their more successful, more glamourous, and more enviable peers … except that most of those accomplishments are exaggerated, if not completely fabricated for “likes.”

Again, LinkedIn seems to do a lot less of this than more traditional platforms. Still, it can’t escape its essential nature. The site’s raison d’être required it to pressure its users to engage. This emotional push to share rapidly becomes an overpowering urge to over share. I figure that nine times out of ten, the ill-advised public posts that criminals and scammer capitalize on are not the result of poor security training or wilful disregard for security best practices but are the natural responses to deliberately inflicted discomfort. It’s a protective reaction. My friend’s success hurt my feelings, so I had to prove to everyone else seeing this post that I’m just as good a person as they are – or better.

The reason I say all this – and thanks for making it this far; I know it’s been a long argument – is that we in the security field are never going to curb this counterproductive user behaviour by condescendingly lecturing people about why they shouldn’t post sensitive information. They know that; we’ve told them often enough. If we want to curb this sort of behaviour, we must address the real reasons why it happens. That is to say, we must shift our training and awareness efforts toward teaching users how social media platforms manipulate them into engaging in risky behaviour despite themselves. We must help our people recognize the potentially harmful aspects of social media so they can recognize when they’re being manipulated, then rationally and safely disengage before they make a career damaging mistake.

It doesn’t mean we should abandon or shun social media. Just realize how it works against our best interests in favour of its own. It’s little different from booze, tobacco, or fast food in that regard. Enjoying it moderation is fine; just realize that if we let our natural appetites control us these “delights” will inevitably harm us.

[1] FOMO = Fear of Missing Out

Keil Hubert

Keil Hubert

POC is Keil Hubert, keil.hubert@gmail.com Follow him on Twitter at @keilhubert. You can buy his books on IT leadership, IT interviewing, horrible bosses and understanding workplace culture at the Amazon Kindle Store. Keil Hubert is the head of Security Training and Awareness for OCC, the world’s largest equity derivatives clearing organization, headquartered in Chicago, Illinois. Prior to joining OCC, Keil has been a U.S. Army medical IT officer, a U.S.A.F. Cyberspace Operations officer, a small businessman, an author, and several different variations of commercial sector IT consultant. Keil deconstructed a cybersecurity breach in his presentation at TEISS 2014, and has served as Business Reporter’s resident U.S. ‘blogger since 2012. His books on applied leadership, business culture, and talent management are available on Amazon.com. Keil is based out of Dallas, Texas.

© Business Reporter 2021

Top Articles

Governance, risk and compliance in the new normal

Governance, risk and compliance topics are now the defining challenge for board directors and the C-suite.

Driven by faith: a delivery company built on service and spirituality

BJS is a family-run delivery business based in the Midlands delivering all sorts of things for all sorts of people.

The impact of climate change on the insurance industry

There is little doubt that the impact of climate change on insured risk is increasing in severity & impact in…

Related Articles

Register for our newsletter