Stopping Address Book Spam
by Patrick Ruffini :: September 10th, 2007 12:10 amOver the summer, cool new scripts that let you upload your Gmail/Yahoo/MSN/etc. contact lists to major sites have really taken off. The most common (and useful) application comes when you can upload your list to see who is on any given social networking site. Facebook, LinkedIn, Twitter, and many of the others enable this, and you can search MySpace and other 1.0 sites using Upscoop. Using one of these tools, I’ve discovered that one in four of the people I’ve ever transacted with over email has a Facebook account.
It didn’t take long for the dark side of this to emerge. In the past week, Quechup and Rapleaf (the folks behind Upscoop) have been smacked down hard for spamming the addresses unsuspectingly uploaded by their users. What was supposed to be a convenience for the end user, enabling them to quietly check up on their friends’ social networking profiles, has instead become a conduit for spam, with hundreds receiving bogus “invitation” or “you have been searched for” emails as a result of a single upload.
Jenn Sierra is canceling her Quechup account as a result, and this is shaping up to be a massive P.R. headache for the company. Meanwhile, Rapleaf (whose founder I consider a friend) has apologized. Plaxo was a much earlier incarnation of this problem (remember those annoying “I’m keeping my address book up to date” emails?). It got so bad network admins would routinely block the site from their corporate networks. Now, Plaxo is seeking to reinvent itself in a much friendlier, Web 2.0 savvy service. Canadian tech reporter Mathew Ingram has a much more thorough review of this issue.
Is this immediate backlash enough to rein in this abuse? I hope so, but I’m not so sure. Given the highly leveraged nature of these communications, with 1 person sending to 1,000 or more, it seems reasonable that Google and Yahoo could easily shut down contact list access, or limit it to the Facebooks of the world.
As someone who’s implemented contact list imports, and who sees the tremendous upside if they are used in an honest, transparent fashion, I wouldn’t want to see this happen. Web startups need to act quickly to contain this, and adopt voluntary guidelines to ensure that users can trust them to handle the sensitive contents of their address book.
I would suggest some guidelines like the ones below, incorporated into privacy policies and perhaps highlighted in a “Why this is safe” link next to the contact importer. These should cover just about every reasonable scenario. Let me know if I’ve missed anything.
- Option A: Non-Retention of Addresses. Explain that the site offers you the ability to upload your contact list, a comma-delimited list of names, for the purposes of finding users or sending a link. Those addresses are used solely to check against the site’s membership database or send your friend the link that one time and are not retained.
- Option B: Addresses Retained, But Sender Controls. On many sites, you might need to retain the contacted email addresses — for instance, invite-only sites that authenticate based on email. However, the original sender controls when and how their addresses are mailed, and the site is only sending messages from the original sender, on his or her behalf. These addresses aren’t visible to other users, and cannot be used by the site to contact these third parties directly.
- In every case… Sender Controls. The names can only be emailed specifically at the direction of the original sender, and cannot be mailed under false pretenses (if all you do is upload your list, that’s not an “invitation”). Scenarios include: one-time (user sends a link out, or some invites, and that’s it), multiple times (their contact list is saved for their personal convenience when they go to send future stories), or on a recurring basis (you need to be extremely explicit and transparent about this — “I authorize [site] to send my contacts my blog posts once a day/week/month/etc.” — and the original sender must be copied on all outgoing emails. And it’s probably a good idea to put a cap on the number of contacts you can send to).
Tagged: bacn 
gmail google quechup rapleaf spam yahoo
Comments (0) 
Trackbacks (5) 
del.icio.us 
digg it 
subscribe
Both comments and pings are currently closed.
[…] Patrick Ruffini sounds off, […]
[…] Updated 09/10/07Patrick Ruffini has more information on address book spam. […]
[…] Chris Hambly has a contrarian view that the small print makes it clear they’ll email everyone, without further notice, inany address you give them access to. Personally, I think they’ve broken with what have become well-established conventions of interface design for this kind of application (good summary of good practice by Patrick Ruffini) - that mass emails won’t take place without the user’s say-so. So responsibility goes two ways - on our side as users for being too arrogant and impatient to read the details and with Quechup for abusing our trust in the essential good will of humanity - actually, the more I think about it, the more I agree with Chris. […]
[…] The controversy really blew up this weekend after some bloggers noticed emails coming from RapLeaf notifying them that someone had searched their email address, and inviting them to return to RapLeaf’s site to “take control” of their profile, which by the way, requires registration and the divulging of more profile data. A few bloggers cried foul, some charging RapLeaf with heinous spamming, Scoble claiming that RapLeaf was selling email addresses to marketers. Pandemonium ensued, and RapLeaf found itself living a WalMart. But RapLeaf is smarter than WalMart and its PR firm Edelman. Much smarter. […]
RapLeaf: Social Media’s Trojan Horse…
I’ve been watching the furor over the RapLeaf controversy for the past couple of days, really struggling over whether or not to weigh in. If you’ve already been following the controversy, drop down to the next subhead, “The RapLeaf Problem”…