Typing In an E-Mail Address, and Giving Up Your Friends

[Noreen]

A long New York Times online article which may be of interest.

"June 20, 2009

Typing In an E-Mail Address, and Giving Up Your Friends' as Well
By ALINA TUGEND

I THOUGHT it was a little strange when I received separate e-mail messages from two people I knew only slightly asking me to click and see their photos on a social networking site called Tagged.

I ignored them at first, but then thought maybe I should check it out. After all, I should keep up on what's hot in the social networking world, right? This could be the new Twitter.

That's when I started doing everything wrong. I obligingly typed in my e-mail address and a password to see those photos. Well, the photos didn't exist, but I had unwittingly given the site "permission" to go through my entire e-mail contact list and send a message to everyone, inviting them to see my "photos."

I found this out only when I started receiving e-mail back from people agreeing to be my friend. I quickly realized what had happened and shot off an apologetic message explaining why I inadvertently spammed them.

As friends' responses started rolling in, I heard from some who had received similar e-mail. Others told me about the same problems with Web sites like MyLife.com and desktopdating.net.

This wasn't along the lines of someone stealing my bank account information or Social Security number, but I was annoyed and embarrassed.

"They're using your good name to establish a connection," said Peter Cassidy, secretary general of the Anti-Phishing Working Group, a nonprofit organization with representatives from law enforcement, industry and government.

So what's going on here? I turned to Michael Argast, a security analyst with Sophos, an Internet security company based in Boston, to find out.

He told me that this kind of thing has been happening for quite a long time in various forms, but has really caught on in the last three to six months. It's not the same as what's known as phishing — fake Web sites masquerading as real ones to get personal information. These Web sites really exist.

Instead, this is generally called contact scraping. Once you enter your credentials, like your user name or password, the company sweeps through your contact list and sends everyone an invitation to join the site.

How do the companies benefit? They are expanding their user population, Mr. Argast said, which they can use to attract potential investors or advertisers. Whether those users are willing participants, or people like me, is another question.

"There are multiple shades of gray," Mr. Argast said. "Some social networking sites, like Facebook, are pretty straightforward in asking if you want to share information about your friends. Others are far less scrupulous."

In the case of Tagged, my friends received a perky e-mail saying: "Alina has added you as a friend on Tagged. Is Alina your friend?" Then you click on yes or no. Even more insidiously, it adds, "Please respond or Alina may think you said no," with a sad-face icon next to it.

I apparently also offered to share some photos; some annoyed friends even told me to resend the pictures because they couldn't find them.

"It's using the chain mail psychology," Mr. Argast said. And he's right. My friends got guilt-tripped into signing on.

It's easier for these sites to get information from Web-based e-mail accounts, like Hotmail and Gmail, than from local Internet provider services, like Verizon or Comcast, but nothing is absolutely secure, Mr. Argast said.

I spoke to Greg Tseng, founder and chief executive of Tagged, to ask him what happened. He said all social networking sites invite you to e-mail your contact list to join up or discover which of your friends are already members, but that a software glitch meant an unusually large number of accidental invitations went out recently.

He said the company received almost 2,000 complaints from people who didn't intend to send invitations to all their contacts — a fraction of the three million people who registered in the month when the problem occurred.

"We immediately pushed the pause button," Mr. Tseng said. "This business lives and dies by the good will of people." He added, "We took immediate steps to rectify this problem and improve the user experience on Tagged."

Mr. Tseng said Tagged was the third-largest social networking site after Facebook and MySpace, with 16 million active users and 80 million registered users. And guess what? I'm counted as one of those registered users now.

A colleague, Tom, received a similar "invitation" from an acquaintance inviting him to join MyLife.com about a month ago. He clicked on "yes," and started receiving e-mail from people on his contact list thanking him for inviting them.

"At first it was amusing, but when I realized that it was mining my address book, it wasn't so funny anymore," he said. MyLife.com was formerly Reunion.com, another site that stirred up numerous complaints regarding contact scraping.

Jeff Tinsley, founder and chief executive of MyLife.com, said that his company was constantly improving its registration system.

"We register more than two million users a month, and the complaint rate is very small," Mr. Tinsley said. "It's very important to make the process very clear, but that said, sometimes people are going with the flow and not paying attention. It's impossible to just take someone's address book. An individual has to give us his credentials."

Tom, however, said he didn't recall typing in his password, so he was not sure how his address book was accessed.

In some cases, buried deep within a company's terms of service or privacy policy is information about sharing e-mail addresses, but few people ever get that far.

"We don't think the consent is meaningful or transparent," said Marc Rotenberg of the Electronic Privacy Information Center, a public interest research organization. "People don't know how their information is being used."

Donna Tapellini, senior editor for Consumer Reports, which reported on this in its June issue, said such practices raised privacy issues. "It's your private contact list and you should be able to protect it," she said.

Such actions may also violate the federal antispamming law — officially known as Controlling the Assault of Non-Solicited Pornography and Marketing Act and unofficially as Can-Spam — which regulates unsolicited commercial e-mail, prohibiting, among other things, false or misleading information in a subject line, said Eileen Harrington, deputy director of the Bureau of Consumer Protection with the Federal Trade Commission. Ms. Harrington emphasized that she was speaking in general terms.

"We're now fully in the era of Web 2.0 and under many circumstances, consumers may be providing more information than they realize," she said.

The problem is, it takes a long time for people to learn the tricks. So here are some words of advice from Mr. Argast.

First, don't supply your user name and password from one site — say Yahoo or Gmail — to a third-party site. And don't use the same user names and passwords for different sites. That's good advice that most of us — myself included — often fail to follow. He told me some 80 percent of users his company surveyed reuse their passwords.

The problem, of course, is remembering different user names and passwords. There are programs or tools that provide an easy way to remember multiple passwords, like 1Password, Sxipper, Keychain or Firefox Password Manager.

You can also set up a separate e-mail account for registrations, which won't have your contact list.

Also, just be alert. Look closely at the invitation. Are there misspellings, for example? Does something just feel not right? If so, e-mail your friend asking if he meant to send you the query.

Finally, I used this opportunity to clean up my contact list. I hope I'm too savvy to have this happen again, but if it does, at least that acquaintance I met in a seminar two summers ago and the British couple I haven't spoken to in five years will be spared."

[Sebby]

Worrying, isn't it. Still, I believe that if someone falls for this, then they're not properly educated on computers. Perhaps that's easy for me to say, but something must be done so that people know what is and isn't malicious, otherwise things are only going to get worse.

[Simon]

Good article, Noreen, worth passing on. 

[Gary]

I received emails from a friend who had a couple of my email accounts separately asking me to join this site we could chat on, I did not even open them I checked the properties of the email googled the info of the site, found out it was similar to the above and blocked the address, and informed my friend what had happened, some people just are to careless, and sadly with good intent.

[vitriol]

I've had two of those emails from Tagged.  They got binned instantly.

[trophymick]

Slightly off topic, but emails from people that have done the rounds, the amusing/not so amusing ones. Why do they leave all the other recipients addresses for all to see, Bcc please.

[Simon]

I agree, Mick, but the type of people who forward emails on, because it says at the bottom to send to all your friends, don't seem to think of things like that.