Tag Archives: Internet users

Plaxo’s Trojan Horse

Was Plaxo just a Trojan Horse into Outlook?

Plaxo, the controversial contact management service, never really came clean on how it was going to make money, a fact which has contributed to user suspicion about its motives and its commitment to keeping secure and private all the contact data it handles and stores on behalf of unpaying customers. But now everything may be clear, after it quietly announced last week that it had partnered with Yahoo to build search into Plaxo’s toolbar in Outlook. Plaxo 2.0 will include the function, to be released this month.

As Nino Marchetti of the Unofficial Yahoo Weblog points out: “The take home from this is that Yahoo, through this partnership, has opened a door which could take traffic away from Google and other search engines by keeping people from leaving Outlook and going into their browsers until after they have already hit the Yahoo search button.” In other words: Outlook users won’t need to go to Google, or its desktop toolbar, to do a search.

Indeed, Plaxo’s efforts suddenly make more sense. The most expensive and desirable desktop real estate may not be in the browser — via some toolbar, or homepage, or whatever — but in Outlook, when a lot of people spend increasingly large parts of their day. While most Outlook add-ins take up only a button or two, Plaxo’s has taken up quite a bit of space, and is perfectly positioned to add the search feature. The result: Searches that bypass Google entirely.

As Plaxo’s press release puts it:  ”Yahoo! is continually seeking new ways to bring ubiquitous search access to Internet users,” said Tim Cadogan, vice president of Search at Yahoo, Inc. “By embedding Yahoo! Search in Plaxo 2.0, Yahoo! will facilitate seamless Internet searches for Plaxo’s fast-growing user base from within Outlook.”

Expect to see a lot more products that offer ‘valuable services’ via a toolbar in Outlook, but in fact are aimed at drawing traffic to certain sites. Browser toolbars are out; Outlook toolbars are in.

Plaxo and Privacy — A Storm In A Teacup?

Plaxo, the besieged contact updating service, is pointing readers of its blog to an article that takes issue with the company’s critics.

The article, written by Jim Harper of PolicyCounsel.com, takes issue with privacy concerns, especially those aired by Australian academic Roger Clarke which I’ve tried to summarise in an earlier post. Jim’s language is quite robust, apparently a reaction to Roger’s own riposte to an earlier posting by Jim on RFID tags. Still, he makes an interesting point: Why all the fuss about handing over your contact data?

For just a moment, let me go into Clarke’s starting point a little further: the idea that contact information is sensitive. It’s not. In fact, contact information is created precisely for the purpose of sharing. People print contact information on cards and give it out. There are entire books – called “phone books” – designed to broadcast contact information far and wide. People put their contact information on letters and in e-mails. Contact information is about as private as the nose on your face.

So who is right? It’s true that contact information in itself is a more or less public commodity. I can decline to hand over my business card to someone I don’t like the look of, but once the card is handed over to anyone, I can no longer assume that information is secure. But my reading (and hey, I’m no expert) of Roger’s original piece is that there are two main outstanding problems:

  • It’s less about handing over one’s data about oneself, but about someone else handing over their data about you. The main objection people have about Plaxo is that, by uploading their address book to Plaxo’s servers, someone else is giving away information about you. As Roger points out: “Under the doctrine of privity, a contract creates rights and responsibilities for the parties to the contract, but for no-one else. Hence there are no rights whatsoever under the contract for the individuals to whom the data relates.”
  • The second issue is about the connections implied in such data — not just whether you’re in someone’s address book, and who else is there alongside you. If someone is arrested for fraud, does the fact that you’re in their address book make you a suspect? Roger writes: ”The threat involved in consolidations of address-books therefore has an important social dimension, and if it affects a person’s employability or career advancement, then an economic dimension as well.”

On the surface neither of these concerns may seem all that relevant. If you’re in a criminal’s address book/PDA/cellphone chances are you’re going to be interviewed by police, whether they got the information from Plaxo or from riffling through his dashboard glove compartment. And, in the first case, what’s the difference between someone storing your contact details in their PDA than online with Plaxo?

First off, I think Jim’s taking too much of an old world view of privacy. He writes that “there isn’t much difference between an online social network and the online or offline lists of club memberships, fraternities, churches, phone systems, magazine subscribers, buyers of goods, sellers of goods, transporters of goods, employees, employers: the list of lists goes on and on.” True, in terms of the nature of such data. But computers and the Internet make handling — and, potentially, mining — such lists much more efficient. In its first seven months Plaxo had more than a million members: Assume, each one has a contact list of 100 people. That’s 100 million names (lots of duplication, of course, but my figures are conservative.) Plaxo has promised not to do anything with this data, but Roger’s point is a fair one: Existing privacy laws don’t really deal with situations where users voluntarily surrender data about other people. So we’re already in new territory.

Internet users are already aware of this; just a year or so ago many of us wouldn’t have baulked at entering personal details into a website in return for access. Not any more. The Internet, once this great repository of information and a community of benign and helpful folk, has turned around and bit us on the collective behind. Spam is just the most visible aspect of it. We now see our lives visible online, so much so that prospective dates are ‘Googled’ to see whether their background is up to snuff. Privacy nowadays is not so much about keeping yourself to yourself, but in trying to reassert some sort of control over which specific data enters the public domain. A blogger is quite happy to spill their most intimate beans online, but that doesn’t mean they’re about to reveal their cellphone number to telemarketers, or become part of some large database that may end up being sold to SMS-Spammers-R-US.com a few years down the track. Personal contact data are, after medical and financial data, the most sensitive data one has.

Jim’s right to raise questions about the heat that Plaxo has been taking (and I readily confess some of the postings here have perhaps contributed to it, although I’ve tried to synthesize the arguments for and against, along with Plaxo’s responses). But it seems to me that if people feel uncomfortable with their data being held by a company that has not revealed how it is going to make its money (or even if it has) then their right to not have their data stored there must be respected, both in law and in the storers’ privacy policy.  

Spam And The Future

First email, then biotech? Are our technologies hostage to the few?

Good piece from the MIT Technology Review on spam.

Apart from the stuff we know — that hackers have created computer worms and viruses that break into computers and then turn those compromised machines into launching pads for spam — there are some other interesting observations, including how hackers have taken to “manipulating the fabric of the Internet’s routing system”.

The article quotes Geoff Hulten from Microsoft’s anti-spam technology and strategy group said that “much of the spam that Hotmail receives comes from China and Japan—in fact, those countries are now the second and third largest senders of spam. The United States is still Number 1, of course, but our Asian cohorts are moving up fast. What’s particularly troubling is that while spam from the United States runs roughly 50/50 with legitimate e-mail, spam from Asia outweighs legitimate e-mail by nearly 10-to-1.”

The article looks at how the efforts of big email providers, like Yahoo! and Microsoft, to create next generation anti-spam tools “could also help the large providers maintain and even solidify their market dominance, by making it increasingly difficult for small businesses to operate their own e-mail systems.”  

Finally, it sets a gloomy note: “E-mail and Internet-based communications are powerful tools—and just a few people have figured out ways to turn them against the vast majority of Internet users, at a cost to businesses that is now estimated at over a billion dollars. What will happen when the new powerful tools of biotechnology and nanotechnology become widespread? If we can’t tackle the spam problem, then the future may be quite bleak.”

How To Avoid MessageTag

I’ve noticed some readers of this blog are looking for ways to avoid MessageTag (or MSGTAG) a service which adds a glob of code to emails to alert the sender as to when the recipient opens it. I asked the folks at MessageTag to talk us through this, so here’s what they sent (all this is from MSGTAG, not me, although I’ve added the questions, and I’d point out that I’m still a MSGTAG user, and have so far had only one request for me not to use it in emails to that person):
 
How does MSGTAG work?
 
MSGTAG’s modus operandi is based on an HTML image reference. Image references are often included in things like HTML newsletters.

When you use MSGTAG the email goes through the MSGTAG desktop application on its way to your usual SMTP server (typically provided by your ISP). The MSGTAG desktop application acts as an SMTP proxy, passing the email on unchanged except for the addition of an HTML image reference. The image reference includes a unique ID. When the email is received, the recipient’s email client sees the image reference and requests the image from the MSGTAG web server so that it can be displayed in the email. Usually the image is invisible because it is only 1 x 1 pixel in size.

The MSGTAG web server sends back a standard image and makes a note of the unique ID and the time that it was requested. The server then associates that ID with a specific user and email. It then sends the user a receipt notification email.

 
MSGTAG tells the sender only the time a message was first opened. It doesn’t provide the sender with the IP address or geographical location of their recipients, nor does it embed tags into attachments to track forwarding or printing behavior. We don’t plan to implement any of these features because we think they promote privacy invasion.
 

I don’t like it. How do I make sure no one MSGTAGs me?

 

We’re aware that not all Internet users wish to receive MSGTAG tagged emails. That’s why we implemented the contact settings in MSGTAG Status which allow the user to automatically disable tagging for certain recipients who have asked not to be tagged.

 

Furthermore, we respect the decision of people who use technology to prevent MSGTAG tags from being triggered.
 
The following methods all allow you to read a message without triggering the MSGTAG tag:
  • a text-only mail client (hardly anybody uses these)
  • a mail client that enables the user to block external HTML images (these are becoming more popular as a countermeasure to spammers using 1×1 images to verify email addresses)
  • a firewall that stops the email client from requesting the MSGTAG image from the MSGTAG web server
  • a spam filter like Mailwasher that enables the recipient to preview the message on their mail server without downloading it into their HTML mail client. N.B.  Mailwasher is a product of Firetrust, a client of eCOSM, who developed MSGTAG for Fisher Young Group. In case you’re wondering, Mailwasher came first and this shouldn’t be construed as ’selling both the disease and the cure’. 
The simplest way for a recipient to block MSGTAG tags is to set their mail client to block external HTML images when they read their emails. This means they will be missing out on a lot of images in email newsletters, but it’s probably a small price to pay.

Goodbye To The Browser?

Here’s some more interesting end-of-year stuff from Nielsen//NetRatings: a report issued today (PDF file) says that three out of every four home and work Internet users access the Internet using a non-browser based Internet application, particularly media players, instant messengers and file sharing applications. “With 76 percent of Web surfers using Internet applications, functionality has grown beyond the browser to become a fundamental piece of the overall desktop,” said Abha Bhagat, senior analyst Nielsen//NetRatings. “It’s become harder to distinguish when you’re on the Internet, blurring the lines between what’s sitting on the desktop and what’s coming from the World Wide Web.”

According to the report, the top five applications are Windows Media Player, AOL Instant Messenger, Yahoo! Messenger, MSN Messenger Service and Real Player. Of these top five applications, Windows Media has the largest active user reach at 34 percent. AOL Instant Messenger was next at 20 percent, followed by Real Player also at 20 percent, MSN Messenger Service at 19 percent and Yahoo! Messenger Service, which reaches 12 percent of the active user base.

Interesting. But what does it actually tell us? First off, we shouldn’t get confused by the data. This doesn’t mean that folks are eschewing the browser, just that a lot of other programs are also connecting to the Internet (where is e-mail in all this?). Second, if Real Networks and MSN Messenger are anything to go by, a lot of these programs access the Internet without the user doing anything (or even knowing about it) so does this actually count? Lastly, there’s been plenty written already about how Microsoft is moving past the browser to incorporate similar functionality into its Office and other products — say Microsoft Word 2003’s Research Pane, for example — so it’s clear the big boys would have us move to more proprietary, locked-in environments, which all of the top five applications have in common. We’re not so much witnessing a demographic change as a deliberate shove by the main players.

My wish list? I’d like to see all of these players stop hoodwinking the end-user by loading their programs into the start-up queue automatically (you know who you are). It’s deliberately misleading (read: sleazy), it hogs resources and it skews data like Nielsen’s. I’d also like to see AOL, MSN and Yahoo all agree to share their instant messaging lists so folk like me don’t have to use great alternatives like Trillian to pull together our disparate buddy networks (Trillian will lump all your different Instant Messaging accounts into one easy to view window, minus all the ads and annoying pop-ups).

I see no danger in the browser gradually being phased out for plenty of web-related tasks. But, if the Internet has really become ‘part of the desktop’ let’s try to make it a place where ordinary folk can hang out without too much hassle.

Do You Know Anyone Who Buys From Spammers?

There’s another campaign on the road: This time it’s telling you not to buy anything advertised on spam. I don’t know anyone who would do this kind of thing, but there you are. According to Mike Adams (“President & CEO, Arial Software, LLC, Permission Email Pioneer and founder of the “Spam. Don’t Buy It.” public education campaign”) says: “While Internet users are rightfully raising their voices and urging legislators to outlaw spam, few users examine their own contribution to the problem. It is true that the primary blame for spam falls on spammers, but it is equally true that spam wouldn’t exist at all if Internet users stopped buying products offered by spammers.”

His argument: “Every user’s inbox is a reflection of what Internet users are buying through spam. No spammer sends emails in the interests of the public good: they do it for profit, and that profit is only generated when Internet users open spam, read spam, and buy from spam. To stop spam, we have to stop buying from spam. That’s why I have created the “Spam. Don’t Buy It.” campaign, to help educate Internet users on their role in the ongoing spam problem.”

Actually, the website does have some interesting bits. I’m just not quite sure what a “Permission Email Pioneer” is.

News: FTC Gets Tough On PopUps. Well, Some Of Them

 The Federal Trade Commission has accused a California pop-up advertising company of digital-age extortion. MSNBC reports that D Squared Solutions allegedly hijacked Internet users’ computers by bombarding them with Windows Messenger pop-up ads — as frequently as every 10 minutes. The ads hawked $30 software that promised only to stop future pop-ups from the company.
 
Windows Messenger is a different beast to Microsoft’s Messenger: it’s supposed to be used for system administrators to send out bulletins to users. Instead D Squared used it to blast annoying messages. The FTC is accusing them of extortion, and with websites like Blockmessenger.com, Endads.com, SaveYourPrivacy.com. and Fightmessenger.com under their control I suspect they have a case.

News: Copyright? What Is That Again?

 Are we all outlaws, or what? A study by Pew Internet & American Life Project from surveys fielded during March – May of 2003 (i.e. before the RIAA started sending out subpoenas) shows that 67% of Internet users who download music say they do not care about whether the music they have downloaded is copyrighted, an increase from a July-August 2000 survey which indicated 61% — of a smaller number of downloaders — said they didn?t care about the copyright status of their music files.
 
 
What does this say? Well on the surface it looks bad — although not particularly newsworthy. But on closer inspection, two things strike me:
  • Of course, these folk who are already downloading music are unlikely to come out and say they consider themselves felons. If they did care about copyright, then what are they doing downloading music? So I think the figures are a bit misleading.
  • I suspect that, all the bluster aside, the number of people downloading music is going to drop off dramatically now the RIAA is getting heavy. Not the result I think should happen, but it’s inevitable. The Net is a mysterious place and most folk (including me) don’t really know what information can be gleaned about their browsing habits, so better safe than sorry. Whether that’s going to have the intended effect of shuffling everyone off to the mall to stock up on CDs is another matter. One likely outcome is small localized clusters of CD-MP3 sharers along the lines of old mixtapes and CD-borrowing. Not that I’m condoning piracy, oh no sireee. But, now the party’s over, who’s going to go back to buying overpriced CDs just for a couple of songs you like? Share your thoughts.

Mail: MSGTAG Replies

Good software always seems to be controversial. That’s not to say there’s not two sides to the debate: Those who think Plaxo is a scam to get you to give up your private data aren’t exactly right, but they may not be exactly wrong, either: time will tell whether it becomes a great service or an intrusive nag. Similarly, another product I’ve taken to, MSGTAG, has its critics, who say allowing folk to check whether their emails have been opened is an unacceptable invasion of privacy, not least because most folk who receive such ‘tagged’ emails don’t know their email program has just sent a message home advising the sender they’ve just opened an email. (See a recent email from an outraged user.) All this is true, but it doesn’t undermine the idea that in principle, it’s a great idea. We would all be a lot more productive — not to mention safe — if we knew the emails we were sending out to friends, colleagues, customer service departments, actually reached their intended recipient.

Anyway, for those of you who are interested in hearing MSGTAG’s side of the debate, here’s their recent response to the letter I mentioned above. Original complaints in purple. I’ve cut it back a bit.

The sender has no real right to know when and if I read his email, where will this go next…tracking how often the email is open, tracking to whom I on forward the email…the possibilities are endless and tantamount to spying and invasion of privacy.

The MSGTAG read receipt process is not designed to be invasive. We feel that it is more than reasonable for a person to know if and when their mail has been read by the intended recipients. There are many situations where this benefits both the sender and the recipient. If an email hasn’t been read before a critical time, a sender can know to contact the recipient to give them the information by another means.

Our view on the subject of mail notification is that at the moment email is an unbalanced exchange. The recipient gets to read the email, but the sender doesn’t get to know if they have. If you send something via a courier service, for example, if you refuse to sign for it, you can’t open it. If you do sign for it, the sender knows straight away.

With MSGTAG we are trying to make it as fair as possible. There are some services that offer to give out all sorts of information about the recipient, such as how long the email was viewed for, how many times, who it was forwarded to, etc. Though we know how to implement this type of functionality, we have chosen a different path of fixing what we see as a broken process, without making the cure worse than the disease by adding privacy-invading features. The negative “possibilities are endless” for all sorts of technologies: we ask that we are judged by what we do, not by what can be done.

MSGTAG tells the sender only the time a message was first opened. It does not provide the sender with the IP address or geographical location of their recipients, nor does it embed tags into attachments to track forwarding or printing behaviour.

However, I do appreciate that not all Internet users wish to receive MSGTAG tagged emails. We respect the business decisions of companies such as yours that wish to implement firewall or proxy technology to prevent MSGTAG tags from being triggered. Furthermore, we have implemented a system within MSGTAG Status that allows users to disable tagging for certain recipients who have asked not to be tagged.

MSGTAG also collects the recipient’s email address, email ID, IP address and email headers without the recipient’s authorisation or knowledge.

It is true that we collect the recipient’s email address and the email ID – this is provided to us by the sender of the email. As I pointed out in the previous paragraph, we don’t collect the recipient’s IP address and we don’t have access to the header information except for:

The subject line – this is used in the notification email so that users know which e-mail has been read, without it they would only know that one of their emails has been read, but they wouldn’t know which one.

The message ID generated by the sender’s e-mail client – this is a unique code attached to all emails by most email clients so that the clients can reliably tell e-mails apart. We use it for the same purpose.

The address the e-mail was sent to – we use this for the same reason as the subject line – so the user knows which e-mail the notification is about.

We also record when the tag was added, and when it was triggered so that we can tell the users when it was triggered, and what the elapsed time was. That is all that we collect from the email.

I agree that what we do with the small amount of information we collect is a serious privacy issue. That is why we have a privacy policy publicly posted on our site. There are several prominent links to it, including within the application itself. I refer to the following relevant section of our Privacy Policy:

“MSGTAG facility
The Software uses the MSGTAG service to determine whether an e-mail that has been tagged by the Software has been received by the intended recipient. In order to achieve this, MSGTAG must store the subject, message ID, message recipient, date sent, and MSGTAG account name of the sender for each e-mail tagged by the Software. If tagging is disabled in the application, MSGTAG does not store this information. MSGTAG will not sell, share or rent this information to any other parties.”

At present, there is only one person in our organisation who has access to the email addresses used in MSGTAG – a System Administrator. As General Manager of MSGTAG, I do not have access. Tech support staff must ask the system administrator for this information on a case by case basis, in order to address specific problems raised by our customers.

We publicly state what happens to email addresses collected. They are only valuable to spammers. They are not valuable to us, because we abide by our Privacy Policy, and cannot exploit them. It would be commercial suicide for us to misuse the email addresses stored on our servers. The integrity of our brand is more valuable than a list of email addresses. Besides, we hate spam with a passion.

“This is in direct contravention to the privacy act and the rules governing the collection of personally identifiable information.”

We also feel that MSGTAG’s email tracking service is not only an invasion of our privacy but is also an infringement of the “Information Access” and “Computer Equipment Access” laws as their service provides “back-flow” traffic, without the recipient’s knowledge or consent, directly from their computer software and hardware.”

We are unaware of any infringement as per your suggestions. Fisher Young Group takes its obligations and allegations of this nature extremely seriously. If you can provide us with more information about the specific areas of law that are at dispute, we will investigate your concerns thoroughly.

Matthew Miller

Interesting stuff. Let us know how you feel.

News: Big Brother’s Net

 For those of you interested in how the Internet is not an unrestricted place for everyone, Reporters Sans Frontieres/Reporters Without Borders last month published their second annual report on censorship in cyberspace, “The Internet under Surveillance – Obstacles to the free flow of information online” which details “attitudes to the Internet by the powerful in 60 countries, between spring 2001 and spring 2003”.
 
 
The report looks at quite a few countries, although it leaves some obvious ones out: It looks at Australia, for example, but leaves out Indonesia and Brunei. Looking at China, for example: “Population : 1,284,972,000; Internet users : 59,100,000; Privately-owned ISPs : no; Internet Users and cyber-dissidents in prison : 42. The number of Internet users doubles nearly every six months and the number of websites every year. But this dizzying growth is matched by the authorities’ energetic attempts to monitor, censor and repress Internet activity, with tough laws, jailing cyber-dissidents, blocking access to websites, monitoring online forums and shutting down cybercafes.”
 
Download the full report as a PDF file here (2.5 MB).