Recently, I had joined boxbe to try out their services in supposedly
improving my email experience (handling spam, prioritizing emails,
etc.). Unaware, the software company essentially harvested my email
contacts list and sent out invitations to my list to join their
network on their behalf! I have since closed my account.
In the era of "social networking," you may want to read this article
from the NYTIMES to get an idea of what companies on the net are doing
these days to help spread the word about their company at the expense
of your reputation and trust network.
Apparently, this practice of spamming by trust has shades of gray in
terms of whether this is considered inappropriate/illegal or not...
here's the article (source):
http://tinyurl.com/avoidSPAMtoday
(http://www.nytimes.com/2009/06/20/technology/internet/20shortcuts.html?pagewanted=all)
**
Typing In an E-Mail Address, and Giving Up Your Friends’ as Well
Article Tools Sponsored By
By ALINA TUGEND
Published: June 19, 2009
I THOUGHT it was a little strange when I received separate e-mail
messages from two people I knew only slightly asking me to click and
see their photos on a social networking site called Tagged.
I ignored them at first, but then thought maybe I should check it out.
After all, I should keep up on what’s hot in the social networking
world, right? This could be the new Twitter.
That’s when I started doing everything wrong. I obligingly typed in my
e-mail address and a password to see those photos. Well, the photos
didn’t exist, but I had unwittingly given the site “permission” to go
through my entire e-mail contact list and send a message to everyone,
inviting them to see my “photos.”
I found this out only when I started receiving e-mail back from people
agreeing to be my friend. I quickly realized what had happened and
shot off an apologetic message explaining why I inadvertently spammed
them.
As friends’ responses started rolling in, I heard from some who had
received similar e-mail. Others told me about the same problems with
Web sites like MyLife.com and desktopdating.net.
This wasn’t along the lines of someone stealing my bank account
information or Social Security number, but I was annoyed and
embarrassed.
“They’re using your good name to establish a connection,” said Peter
Cassidy, secretary general of the Anti-Phishing Working Group, a
nonprofit organization with representatives from law enforcement,
industry and government.
So what’s going on here? I turned to Michael Argast, a security
analyst with Sophos, an Internet security company based in Boston, to
find out.
He told me that this kind of thing has been happening for quite a long
time in various forms, but has really caught on in the last three to
six months. It’s not the same as what’s known as phishing — fake Web
sites masquerading as real ones to get personal information. These Web
sites really exist.
Instead, this is generally called contact scraping. Once you enter
your credentials, like your user name or password, the company sweeps
through your contact list and sends everyone an invitation to join the
site.
How do the companies benefit? They are expanding their user
population, Mr. Argast said, which they can use to attract potential
investors or advertisers. Whether those users are willing
participants, or people like me, is another question.
“There are multiple shades of gray,” Mr. Argast said. “Some social
networking sites, like Facebook, are pretty straightforward in asking
if you want to share information about your friends. Others are far
less scrupulous.”
In the case of Tagged, my friends received a perky e-mail saying:
“Alina has added you as a friend on Tagged. Is Alina your friend?”
Then you click on yes or no. Even more insidiously, it adds, “Please
respond or Alina may think you said no,” with a sad-face icon next to
it.
I apparently also offered to share some photos; some annoyed friends
even told me to resend the pictures because they couldn’t find them.
“It’s using the chain mail psychology,” Mr. Argast said. And he’s
right. My friends got guilt-tripped into signing on.
It’s easier for these sites to get information from Web-based e-mail
accounts, like Hotmail and Gmail, than from local Internet provider
services, like Verizon or Comcast, but nothing is absolutely secure,
Mr. Argast said.
I spoke to Greg Tseng, founder and chief executive of Tagged, to ask
him what happened. He said all social networking sites invite you to
e-mail your contact list to join up or discover which of your friends
are already members, but that a software glitch meant an unusually
large number of accidental invitations went out recently.
He said the company received almost 2,000 complaints from people who
didn’t intend to send invitations to all their contacts — a fraction
of the three million people who registered in the month when the
problem occurred.
“We immediately pushed the pause button,” Mr. Tseng said. “This
business lives and dies by the good will of people.” He added, “We
took immediate steps to rectify this problem and improve the user
experience on Tagged.”
Mr. Tseng said Tagged was the third-largest social networking site
after Facebook and MySpace, with 16 million active users and 80
million registered users. And guess what? I’m counted as one of those
registered users now.
A colleague, Tom, received a similar “invitation” from an acquaintance
inviting him to join MyLife.com about a month ago. He clicked on
“yes,” and started receiving e-mail from people on his contact list
thanking him for inviting them.
“At first it was amusing, but when I realized that it was mining my
address book, it wasn’t so funny anymore,” he said. MyLife.com was
formerly Reunion.com, another site that stirred up numerous complaints
regarding contact scraping.
Jeff Tinsley, founder and chief executive of MyLife.com, said that his
company was constantly improving its registration system.
“We register more than two million users a month, and the complaint
rate is very small,” Mr. Tinsley said. “It’s very important to make
the process very clear, but that said, sometimes people are going with
the flow and not paying attention. It’s impossible to just take
someone’s address book. An individual has to give us his credentials.”
Tom, however, said he didn’t recall typing in his password, so he was
not sure how his address book was accessed.
In some cases, buried deep within a company’s terms of service or
privacy policy is information about sharing e-mail addresses, but few
people ever get that far.
“We don’t think the consent is meaningful or transparent,” said Marc
Rotenberg of the Electronic Privacy Information Center, a public
interest research organization. “People don’t know how their
information is being used.”
Donna Tapellini, senior editor for Consumer Reports, which reported on
this in its June issue, said such practices raised privacy issues.
“It’s your private contact list and you should be able to protect it,”
she said.
Such actions may also violate the federal antispamming law —
officially known as Controlling the Assault of Non-Solicited
Pornography and Marketing Act and unofficially as Can-Spam — which
regulates unsolicited commercial e-mail, prohibiting, among other
things, false or misleading information in a subject line, said Eileen
Harrington, deputy director of the Bureau of Consumer Protection with
the Federal Trade Commission. Ms. Harrington emphasized that she was
speaking in general terms.
“We’re now fully in the era of Web 2.0 and under many circumstances,
consumers may be providing more information than they realize,” she
said.
The problem is, it takes a long time for people to learn the tricks.
So here are some words of advice from Mr. Argast.
First, don’t supply your user name and password from one site — say
Yahoo or Gmail — to a third-party site. And don’t use the same user
names and passwords for different sites. That’s good advice that most
of us — myself included — often fail to follow. He told me some 80
percent of users his company surveyed reuse their passwords.
The problem, of course, is remembering different user names and
passwords. There are programs or tools that provide an easy way to
remember multiple passwords, like 1Password, Sxipper, Keychain or
Firefox Password Manager.
You can also set up a separate e-mail account for registrations, which
won’t have your contact list.
Also, just be alert. Look closely at the invitation. Are there
misspellings, for example? Does something just feel not right? If so,
e-mail your friend asking if he meant to send you the query.
Finally, I used this opportunity to clean up my contact list. I hope
I’m too savvy to have this happen again, but if it does, at least that
acquaintance I met in a seminar two summers ago and the British couple
I haven’t spoken to in five years will be spared.
E-mail: shortcuts@nytimes.com
**
No comments:
Post a Comment