Plaxo, Privacy and ‘Suspicious Behavior’

It seems that there’s renewed interest in Plaxo, the contact sharing service that has attracted attention both for its inventiveness and its privacy implications. First off, a reader from France, Vincent Prêtet, wrote in comments to a previous post that

Plaxo is an amazing great tool to manage an adressbook. I use it since a few months and I am really happy of doing so. However, in France too the use of Plaxo gives rise to a real debate: is Plaxo’s system and are Plaxo’s users respecting the Laws as far as individual rights are concerned.

An EU-law (directive) goes as far as writing that nobody is allowed to transmit “personal data” like contacts of an addressbook to a Third without having first noticed each of the contacts.

Vincent asks whether any similar case being made in the U.S. He’s also started his own blog on the subject (in French).

Another reader has sent in a screen capture from Zone Alarm that seems to indicate Plaxo “does much more than just collecting personal info”:

PlaxoZA

I’ve asked Zone Labs about this message, who offer the following:

Yes, it does appear to be one of our alerts. The “Enables Plaxo to Securely Integrate with Outlook Express” is probably the name of Plaxo’s process that that triggered the alert. The rest of the copy is the standard message for all “suspicious” alerts. The idea is to let consumers know when a process is occurring that we believe can have security ramifications and let them choose to move forward or not. One of our primary goals is to make sure people have control over what installs on their PC.

Let me know if you’d like me to check with our security team on Plaxo specifically, but typically with the OSFirewall we aren’t looking so much at specific programs, more at the actual behavior of a process (at a glace, I suspect any program that tries to integrate with Outlook that we don’t have specifically whitelisted would trigger the same alert).

At first glance, then, it looks suspicious. But on closer inspection I feel this is more a case of Zone Alarm being a bit too alarmist, or at least not building up a decent database of programs it can whitelist. Plaxo is not exactly a new kid on the block, and although I have my reservations about what Plaxo does, I’m not sure it’s tracking keystrokes, mouse movements or other ‘user behavior’.

Doubtless Stacey, Plaxo’s privacy officer, will weight in shortly on this!

01. December 2005 by jeremy
Categories: Privacy, Software, apps | Tags: , , , , | 1 comment

One Comment

  1. Jeremy – you know me too well. As your site is one of my regular blog reads, I’m happy to add to the discussion. Vincent also sent me an invitation to comment on his blog posting, which I’ve done. He raises a number of questions and my comments were lengthy, so I won’t repost here :-). People can read my comments on his blog site once approved – http://is-plaxo-good-or-not.blogspot.com/

    As for the ZoneAlarm alert – this is a known false positive that can occur as a result of InstallStub.exe running.

    InstallStub.exe is an application that is part of the Plaxo installation. The Plaxo installer adds InstallStub.exe to the current user’s Windows registry Run statement so it autolaunches each time a user logs in. InstallStub.exe performs a number of functions, including checking for updates, but it’s primary purpose it to detect the launch of Outlook Express so that Plaxo can run within this email environment.

    Outlook has a well-published API interface for supporting Add-ins such as Plaxo. Unfortunately, Outlook Express does not provide a similar API. Therefore, we use InstallStub to detect the launch of the Outlook Express executable (msimn.exe). Once detected, InstallStub calls the Plaxo Toolbar to show up within Outlook Express. Without InstallStub running, Plaxo would not work for Outlook Express users.

    Programs such as ZoneAlarm may flag this type of activity and allow the user to determine what action they wish to take. Similarly, when the Plaxo installation attempts to make changes to the registry Run statement for InstallStub, this may also be flagged and the user may be asked if they wish to allow the change. It is recommended Plaxo members allow InstallStub to operate as normal. But if the user is strictly an Outlook user, they may remove/rename InstallStub.exe so it does not launch, though this action is not recommended.

    More information about InstallStub can be found on our Support site – http://support.plaxo.com/bin/answer.py?answer=138&query=installstub&topic=0&type=f

    Also, I should mention we have renamed InstallStub.exe to PlaxoHelper.exe in the latest version of the Plaxo software to clearly identify the program as part of the Plaxo installation.

    Stacy Martin
    Plaxo Privacy Officer
    privacy @t plaxo.com