The short answer is yes, LinkedIn messages are encrypted. However, the level of encryption depends on the type of message being sent on LinkedIn.
Encryption of InMail Messages
InMail messages on LinkedIn are end-to-end encrypted. This means the contents of an InMail message are encrypted before being sent, and only the recipient can decrypt and read the message contents. Not even LinkedIn can access or read the contents of an InMail message.
LinkedIn uses the AES 256-bit encryption standard to encrypt InMail messages. This is an industry standard level of encryption that is very difficult for third parties to crack. So InMail contents are kept private between the sender and recipient.
Encryption of Regular Messages
Regular messages sent between connections on LinkedIn do not have end-to-end encryption. LinkedIn states that while regular messages have secure transmission encryption, the message contents are accessible to LinkedIn.
This means regular LinkedIn messages are encrypted in transit between the sender and LinkedIn’s servers. But LinkedIn has the encryption keys to decrypt the contents of regular messages on their servers. So although the message transmission is secure, LinkedIn can access the contents of regular messages on their backend.
LinkedIn states they have internal policies on access controls to prevent employee abuse of reading user messages. But technically LinkedIn can read regular messages if they wish.
Why InMail Has Stronger Encryption
LinkedIn provides end-to-end encryption for InMail for a couple reasons:
- InMail costs money – Users pay to send InMails so their privacy is protected.
- InMail is used for more confidential communications – InMail is commonly used for initial outreach between new connections, job interview scheduling, confidential business deals, etc. So the contents tend to be more private.
Whereas regular LinkedIn messages are free and used for more casual communications between existing connections. So LinkedIn doesn’t provide the full end-to-end encryption for regular messages.
Encryption When Downloading Messages
LinkedIn also uses encryption when users download copies of their message history. Users have the option to download an archive of their LinkedIn messages to their computer or other local device.
This download process uses industry standard SSL encryption. So messages are encrypted in transit between LinkedIn’s servers and the user’s local download location. This prevents network sniffing or man-in-the-middle attacks during the download transfer.
How to Tell if a LinkedIn Message is Encrypted
As a user, there is no indicator within a LinkedIn message to tell you if that particular message is encrypted end-to-end. You simply have to know whether it is an InMail message or regular message.
However, when downloading a copy of your message archive, the download page is served over HTTPS. You can confirm the SSL encryption by looking for the lock icon next to the URL.
Limitations of LinkedIn Message Encryption
While InMail contents have end-to-end encryption, there are some limitations:
- LinkedIn still has access to InMail metadata like sender, recipient, timestamps, etc. This data is not encrypted.
- LinkedIn can see if you have communicated with someone via InMail, just not the contents.
- InMail messages are encrypted in transit but stored unencrypted on LinkedIn’s servers. However access controls prevent employee abuse.
- Encrypted messages still count against your daily InMail limits. So LinkedIn can see InMail frequency.
For regular LinkedIn messages, the limitations are:
- No end-to-end encryption. LinkedIn can access content.
- Only encrypted in transit between sender and LinkedIn’s servers.
- Stored unencrypted on LinkedIn’s servers.
- LinkedIn has full access to metadata and content.
Using External Encryption
For maximum privacy, instead of communicating sensitive information directly via InMail or regular messages, it may be better to exchange encrypted messages externally.
For example, you could agree to communicate via encrypted email or an end-to-end encrypted messaging app like Signal. This way the messages stay entirely private to you and the recipient.
You can initiate the external communication via a brief LinkedIn message, but avoid sending any confidential information over LinkedIn’s servers.
LinkedIn’s Encryption Policies
LinkedIn outlines their encryption policies and security practices in their Privacy Policy and User Agreement. Key points include:
- InMail contents are not accessed or read by LinkedIn employees due to end-to-end encryption.
- Regular messages have secure transmission but contents are accessible internally to LinkedIn.
- Policies are in place to prevent internal abuse or misuse of customer data.
- SSL encryption used for secure transmission of user data like message downloads.
- Encryption keys, certificates, and infrastructure are managed by LinkedIn security team.
- Regular third-party audits and penetration testing are performed.
So in summary, while InMail provides end-to-end encryption, regular LinkedIn messages have some vulnerabilities. For maximum privacy, sensitive communications may be better suited for an external encrypted channel.