More On Plaxo, Privacy and Opting Out

This is likely to be the last exchange on Plaxo: Hopefully some of the issues that have concerned me and readers have been cleared up by this and other recent posts.

Plaxo have kindly added a comment in reply to my posting on how to avoid Plaxo, in which they’ve pointed out that they have added an opt-out feature, meaning that instead of receiving endless ‘reminders’ to update your contacts from users, you can avoid either specific or all such requests via a link in the update email. (This link takes you to a page offering three options: Blocking all update requests from that person, using an auto-reply feature I mentioned in the previous posting, or a ‘permanent opt-out’.)

This is good news, and thanks for pointing this out. Plaxo says in the comment, ”It’s right there in every Update Request sent and has been provided by Plaxo for some time now.” However, I’ve gone back through Plaxo updates requests and readers’ mail on the issue and can only find Plaxo update requests sent to me in December to have included this feature. Unless I’m mistaken, prior to that there was no readily obvious way to opt out, and I have received complaints as recently as October of readers receiving multiple update requests with no visible method of avoiding future ones. (The webpage that refers to this feature does not indicate when the option was added, but says the page was updated on December 23.) In emailed responses to questions, Plaxo’s Stacy Martin says this opt-out became a standard option in November.

I accept that Plaxo now makes it easier to non-users to opt out of future requests, and I can readily understand that it’s difficult to find the right balance. On the one hand you don’t want to bug people who don’t want to be bugged; on the other, the only way to do this is for those who want to opt out to register all their known email addresses with Plaxo, since the company has chosen to use email addresses as the best way to recognise and store individual records. If users want to opt out, some sort of record needs to be kept of their wanting to opt out, in the same way a spammer is (supposedly) bound to keep a record of people who don’t want to receive more spam from them.

That said, this opt-out feature could be easier to find on the Plaxo website. It’s not mentioned on the front page, as far as I can see. On the support page linked by Plaxo’s Trust Officer I could find no mention of it, or direct link there. It was not on the page of frequently asked questions. You can find information about the opt-out feature by, among other possible ways, typing in ‘opt-out’ or ‘optout’ into the search support box selecting either in the ‘all search topics’ option or the ‘Information for IT departments’ option. Performing the same search in the (more logical, in my view) ‘Troubleshooting’ or ‘Security and Privacy’ categories will not provide this link — except tangentially, for example at the bottom of one page referring to the question ‘Does Plaxo send spam to my contacts?‘. (Plaxo’s Martin demurs, saying “In looking at the traffic flow on our web site, we’ve found the large number of users looking for assistance go straight to using the search within the Help Center and search on all topics rather than browsing around or searching on a subset of topics… Searching for “opt-out”, “stop”, “opt”, “no mail”, “out”, “optout” all provide users the proper information on how to stop receiving update requests.”)

Finally, if you’ve made it to the opt-out page – or clicked on the opt-out link provided in the update requests I mentioned at the start — you’ll be warned against using this feature. Click on the link in an email and you’ll be told ‘If you choose this option, friends and contacts with important update e-mails will no longer be able to contact you using Plaxo’. On the opt-out page itself, you’ll be told, in bold:  ’Note that by permanently opting-out, friends and business associates can no longer request your latest information or send you their latest contact information’.

I find the wording of both messages somewhat alarmist to the casual user: Both seem to suggest that somehow people will not be able to contact anyone who accepts this option. I believe the wording could be better constructed to make clear that accepting this option is ONLY going to remove them from future Plaxo emails and not have any more disastrous impact on their social, business or family life. If someone has gotten this far to opting out, I think Plaxo have probably lost them as a potential customer and they should give up gracefully.

All this said, and despite some residual concerns about Plaxo’s practices, I remain a Plaxo user and have, on balance, found it to be very useful. It appears that Plaxo has been responsive to user concerns and tried to hone its approach. But there’s clearly some ways to go, and, at least on the opt-out issue, I think Plaxo could be clearer, by at least

  • posting a link on the home page,
  • marking it clearly on the support page and
  • by avoiding language on the opt-out page itself that may confuse or deter the casual user.

Plaxo’s Martin says they’ve already made some changes to accomodate these suggestions, which I emailed to her before posting here. It’s good to see that they are responsive to these and other concerns: Another feature that bugged readers, if my mailbag is anything to go by, was the way Plaxo kept a record of how many update requests were sent to any non-user, even if they weren’t from the same source. This kind of intrusiveness raised hackles, understandably, in that Plaxo appeared to be targetting prospective users and keeping tabs on them. Stacy says this feature was dropped last November.

Now, The MyDoom Backslapping

Queue trumpets. The security software folk have started congratulating themselves for saving us from MyDoom.

Here’s DeepNines Technologies, “the only company to offer a security platform that includes firewall, intrusion prevention and gateway anti-virus functionality in front of the router”, which says: “Companies that have Sleuth9 deployed in front of the router, are finding that approximately 1.5 out of every 10 emails are infected and they are successfully blocking those emails at the perimeter, thus preventing MyDoom from impacting the network.”

Here’s CrystalTech Web Hosting Inc, “a Microsoft Windows-based web host located in Phoenix, Arizona”, which says it “has effectively eliminated the threat of the MyDoom virus for over 1.2 million mail accounts and over 38,000 domains that are hosted on their network”.  Customers, the company is not shy in pointing out, were impressed: “The speed and efficiency with which CrystalTech acted did not go unnoticed by their customers. Several noted on the CrystalTech message board that they were seeing few, if any, infected messages in their inboxes. The majority stated that they were seeing more in their outside accounts, with one customer stating that their free email account was full with infected messages within a day, whereas his CrystalTech account had a single infected message.”

In fact, reading this stuff you’d think the virus had only hit folk in outer space. BorderWare Technologies Inc., “The Security Appliances Company(TM)”, says “no MXtreme Mail Firewall customers have been affected by the MyDoom outbreak or any of its variants and mutations”.

And, then of course, there’s the intoxicating smell of free publicity: 0Spam.Net, “the most accurate Anti-Spam solution in the world for eliminating Spam, Pornography, Phishing (Identity Theft Fraud) and Viruses from email”, is offering “free protection against email delivery of the MyDoom virus and any variants that might appear over the next 30 days” to ISPs, companies, governmental or non-profit organizations, and extends to individuals and families as well. It’s not clear whether this offer was already in place before MyDoom hit. Now that really would have helped.

The there’s the individual heroics: My favourite is from San Diego, where, hours before the world realized what was happening, a certified Juvio computer technician, assisting a customer with a troubled computer detected the MyDoom virus. “With no known protection codes available, the Juvio technician immediately set about to write script to defeat this destructive new virus. In a matter of minutes, the victimized customer ceased to be attacked by this malicious virus thanks to the expertise and quick skill of the attending Juvio technician. The technician immediately alerted fellow Juvio technicians to the situation and provided them with a repair solution, effectively assisting several global customers who found themselves to be in need of emergency help.” I’m not complaining, by the way: This is an uplifting tale and much more fun to read than most press releases.

The serious point in all this, I guess, is that the flood of press releases that tracked MyDoom’s progress (including interactive maps and charts), and now this self-congratulatory fluff, brings home how much money is to be made from selling stuff to protect people.

How To Avoid Plaxo

Plaxo, the automated contact updating service, have responded to my last posting (see the comment at the bottom). I don’t think we need to go there any more. Bottom line: At present Plaxo exerts a high degree of access to your address book, and you may want to think carefully before you sign up about whether you want that. That said, Plaxo is a very useful tool, and they seem to be receptive to the idea that some things need to be improved.

For those of you who don’t want Plaxo, and are tired of getting requests from people to join up, here are two solutions from a reader:

  • When you get your first Plaxo update email from someone, set up an account with ‘fake’ info, and then edit your ‘card’ and click the ‘register your old e-mail addresses with Plaxo’ link. Put all your email addresses that other people might have there. Then anytime someone requests an update, they’ll get your fake card — with the right email addresses, but nothing more — back. And you won’t hear from them again.
  • When you get your first Plaxo update email, don’t sign up but go to this link. Fill in the ‘auto-reply’ form and put in some fake info. “This,” the reader says, “appears to have the same effect. The problem is once you register an email address in Method 1, you can’t use that email address in Method 2.”

The good news: “Either method ensures noone bugs you ever again for the email addresses that you have registered.” Ingenious.

The bad news: “I really dislike the fact that you can’t tell Plaxo to remove your email address from their system completely and forever. They will keep it on their database. This probably breaches the Privacy Acts of some jurisdictions.” Fair point.

I certainly know of many friends who have been deeply annoyed by multiple requests from Plaxo users, and these methods offer a good workaround. But perhaps Plaxo should consider a way for users to ‘opt out’ of the whole Plaxo thing, without having to spoof as this reader does, since this spoofing doesn’t help anybody: The fake information is a nuisance for the recipient, a waste of time for the spoofer, and a waste of space for the Plaxo records. And it still requires Plaxo holding some user data (the email addresses) which clearly offends some folk.

Back to you, Plaxo, for comments?

A Good Way To Organise Outlook Emails

This is a must if you’re a power Outlook user: NEO Pro 3.0, out in Beta today.

NEO is an add-in product that “turns Outlook into an email organizer – without affecting all that Outlook already does”. NEO, also known as Nelson Email Organizer, is good at finding messages quickly automatically displaying messages in different ways.

Caelo Software Inc. (pronounced Kay-lo), the makers of NEO, has introduced three other features:

  • auto-classification of folders between New, Current and Dormant top-level areas (auto-moves old correspondents to Dormant after x days of inactivity)
  • global filtering (e.g. ‘show me my active correspondent messages addressed exclusively to me for the past 5 days’), and
  • manageable Outlook categories (see categories at a glance – easily edit, split and merge your categories).

The beta trial program is free: download it here. I’ve used previous versions, and, while I’m not an Outlook fan, previous versions of NEO definitely made things a lot easier.

In Plaxo-land, There’s Still Some Confusion

This Plaxo issue is confusing. But it’s still worrying.
 
Here’s the story so far: Plaxo is a way to keep your contacts up to date, and it works well and simply. But privacy has been an issue: Can you trust a company to keep your personal data — not just your own details, but all your contacts who also use Plaxo — safe? Plaxo have been quite convincing about this issue, which is why I and a lot of other people use the service: More than a million, according to their website.
 
But here’s the tricky bit: In recent months I’ve noticed that some contacts have been updating themselves in my address book without me giving them permission to do so — or even requesting it. The responses I’ve received from Plaxo have been of the kind you can see in the comments on one of my recent postings about this, namely, that can’t happen, it must be a user (i.e. my) error.
 
Now I’ve got a more complete, and complicated response from Stacy Martin, Plaxo Trust Officer. Stacy’s gone to some trouble to answer my complaint, and readily acknowledges the system isn’t perfect. And I accept that my earlier fear — that people I have never met, or put in my address book, may be adding their contacts — is unfounded.
 
But, without wanting to be difficult, I’m still not satisifed. The problem is this: Plaxo doesn’t just handle the contacts you assign to be updated via Plaxo, it accesses — and can alter, without your approval — your whole address book.
 
It’s complicated, but to try to boil down the argument I’ve paraphrased. I hope I’ve done it correctly: Plaxo, Stacy says, can only UPDATE entries that already exist in your Outlook/Outlook Express address book. It cannot ADD new entries unless you approve the action. This automatic update can occur in one of two ways:
  • If you and someone else have both agreed to allow update requests, or
  • Your address book contains at least the e-mail address of another Plaxo member who has granted other Plaxo members access to his information contained on one or both of his cards.
It’s this second one that is causing the problem. It sounds complicated, I know, but it comes down to this: If you have in your Outlook or Outlook Express address book anyone who is also a member of the Plaxo network, whether or not you request it, that person’s contacts will automatically update themselves in your address book. This leads, as you may imagine, to some surprising results:
  • All the people in your address book — automatically added by you manually, your email program (Outlook versions prior to 2002 had this feature), or any other program interacting with your address book — can now be altered remotely by those people, so long as they are Plaxo subscribers (In one case a contact was not only altered but the name given to that person — his actual name — was altered, making him, er, hard to locate);
  • This appears to override your original settings, that is, the list of people you requested updates from when you first configured the program.

In short, with Plaxo you’re no longer in control of your address book. Signing up to Plaxo means your whole address book is accessible by Plaxo (and presumably stored on their server, not just those contacts you’ve chosen to update via their service).

Stacy readily accepts some of this is confusing, and says we feel there is much more work we can do on our end to make this action more clear and understandable as to not alarm the member. Hopefully, future versions of Plaxo Contacts will make this more evident.”

That’s a start. Here’s my tupennies’ worth:

  • I think other Plaxo users would be as surprised as I to find out that Plaxo has a complete record of, or access to, our address book, whether or not we submitted all those contacts to Plaxo initially, and
  • that as a result people we have not contacted have updated themselves in our address book, without our permission.
  • How does Plaxo ’synchronise’ our contacts? Is this done only with those contacts marked as ones we have agreed to update via Plaxo, or is it all of them?
  • What about the embarrassment quotient? What happens, for example, to contacts we have at some point deleted from our Outlook address book? Is this information — the deletion — passed onto onto the Plaxo-fied contact?

The bottom line here is, in my view, that Plaxo have got to give much greater control to the user as to who and what is updated in the address book. My assumption was always that those people we’ve not selected to update via Plaxo would not be updated, or even accessed, by Plaxo. And to me the logical idea would be that if that did happen, we would get the chance to scotch such updates and sever contact with that person if we so desired. I’m relieved to know that Plaxo folk aren’t able to add themselves to my address book without my sayso, but I still believe there’s a lack of user control over who gets to update what.

Plaxo is a great concept, and a good service, but it must abide by its own promises, like this one: ”At all times, members of the Plaxo Contacts service control how their information is used and with whom it is shared.”

More On Plaxo

Further to my outburst about Plaxo, and the suggestion that people you don’t know can add their contacts to your Outlook address book without your permission, I’m pleased to see that someone from Plaxo has added their comments (at the bottom of that posting).

I’ve also received a more detailed response from someone in Plaxo’s privacy department, which I shall go through and summarise in a later posting. Suffice to say I’m not yet convinced of the argument that it’s a simple question of the user’s (i.e. my) error. I’ll explain later; it’s not a simple issue. But thanks, Rikk, for taking the trouble to add your comments.

What Is This Virus REALLY All About?

Further to my outburst about how network administrators and anti-virus companies may be making the whole MyDoom thing worse, here’s a similar take, albeit more detailed and informed than mine, from Attrition.org. The message: Treat all emails ‘notifying’ you that you have a virus as spam and inform the administrator/company/ISP accordingly. Thanks to the excellent TechDirt for pointing this one out. CNET have a similar report as does The Register.

My tuppennies’ worth? Sue anybody who accuses you of harbouring a virus. It’s defamation pure and simple.

Some other tidbits about the virus: It seemed to have originated in Russia, and may not actually contain an attack on SCO.com, so there’s a strong school of thought growing that all that SCO/Linux stuff is a ruse, and that the real purpose is a good old fashioned Mafia-originating password-stealing scam. If so, it’s reassuring to know that a) the open source crowd haven’t gone bad and b) it’s still just about da money. Slashdotters discuss the matter here.

That said, there’s a lot about MyDoom we don’t know about it, and writing it off as a variation of earlier worms I think misses the point. Viruses may often be built on old ones, but it doesn’t mean they do the same thing. Microsoft Monitor calls it “one of the more sophisticated viruses in recent memory” and says antivirus companies are only starting to learn about what it may do.

Organizing Software For The Mac

I recently wrote about outlining software in my column (recommending for Windows users, among others. MyInfo and Jot+). Now here’s a recommendation from a reader for Mac users: Sticky Brain.

From the blurb: “StickyBrain elegantly handles all the miscellaneous tidbits of information which don’t cleanly fit in other software programs like your contact manager or word processor. Rather than have this information scattered everywhere including on your desk, StickyBrain provides the central location for it all.” It actually looks very good.

 

Cool, But Simple, Note Software

Here’s a fine piece of software that does important stuff simply and cleanly.

There’s been hundreds of ways to jot quick notes aboard your PC but most are too fiddly and fussy. NotesHolder isn’t either. It’s just a small window that hides on the edge of your screen until you access it, then type in whatever stroke of genius you need to record.

The free version is enough, but the standard version ($15) has that all important extra tweak: the ability to access it by a customisable hot key, whatever program you’re in.

The guys who make it, A!K Research Labs, are a bit shy about who they are, but I have a feeling they’re from Smolensk in Russia.

Is Plaxo A Namecard Spammer?

What gives at Plaxo?

I’ve decided to stop recommending what seemed to be a pretty good way to stay up to date with contacts after a series of weird incidents when folk unknown to me were somehow able to add their contacts into my Outlook address book without my say-so (today’s was someone from a PR company I’ve had dealings with before, but never, to my knowledge, with this person).

I’ve raised this issue before and have waited for more than two months for word from Plaxo about the matter, so they’re off my Christmas card list and, until they can explain what’s going on, and, if required, fix this I don’t recommend anyone else use it. Plaxo is a good idea, but the privacy concerns about it all have scared people right from the start. This latest hole — where, apparently, anyone can spam their way into your address book, along with comments like “Winner of the PR Week Asia ‘New Consultancy of the Year’ award for 2001″ — isn’t going to put minds at ease.

Until then, I’m forced to ask:

  • How do people I don’t know know that I’m on Plaxo?
  • How can they automatically add their contact details to my Outlook address book without me approving it?
  • Is this how Plaxo is making its money? Charging some folk to spam possible clients with their namecard?

Looking forward to getting some answers on this, which I’ll pass along to the blog.