Tag Archives: Online social networking

Does Plaxo Have My Data?

Here’s more on the Plaxo discussion about the security of data held by the contacts managment service.

Plaxo has kindly responded to my earlier post about the security issue raised by Britain’s Lodoga (their comments are definitely worth reading). I’ve also had a chance to talk to the folk at Lodoga about the problem. One or two points worth making.

  • Lodoga point out it’s not just Plaxo that are — or were; they moved quickly to fix the problem – vulnerable to this kind of attack. Many, if not most, websites that use forms are. So Plaxo could quite reasonably claim they’re being unfairly singled out here.
  • Plaxo say that the vulnerability is limited to specific attacks on specific individuals. This could be misleading. As Lodoga points out, it’s the very specificity of the attack that’s worrying. In such cases, and like some phishing cases, the attack could be aimed at certain companies, and certain individuals, in order to extract data for more complex and broad attacks (for example, to impersonate someone to hijack data, fool other people into giving up data or even control a website). Just because the vulnerability is limited doesn’t mean it’s not a vulnerability.

Plaxo ‘correct’ a couple of points in my earlier point, which themselves need clarifying. It comes down to a couple of basic questions:

If I use Plaxo, is my address book stored on Plaxo’s servers?

Plaxo quote me as saying ”that information will be stored in Oliver’s contact details on Plaxo’s servers in addition to whatever data he adds”, and respond thus: ”Storing a person’s address book on our servers is an option, not a requirement for using the service (we refer to this as web-enabling your address book).  Users can select this option when installing Plaxo, or change this option anytime through their preference settings.  Enabling this option has certain benefits such as automatic backups, quick restore capabilities, enhanced synchronization capabilities and Web access, but it is still an option.”

Well, up to a point. It’s true that as a Plaxo user you can elect to prevent your contacts from being stored on Plaxo’s computers. But once again, it’s not a straightforward process, and unless my configuration is weird, having your data stored at Plaxo is set as a default, as far as I can work out, and the option to change it can only be found in the ‘Advanced’ tab of the Preferences window. What’s more, the option is called ‘Allow web acccess to contacts’ (i.e. not ‘Store copy of your contact data on Plaxo servers’, or something more explanatory. If you try to uncheck it, you’ll get a warning message: ‘Are you sure you want to disallow web access to your account? Doing this will also disallow you from synchronizing your address book on multiple computers and disable much of Plaxo’s functionality.” It then gives three options: Yes, No and Cancel (what’s the diffrerence between No and Cancel, exactly?) All this is hardly a way to reassure the wary. (If you do go ahead and uncheck this option there’s no way that I can see of confirming that your data has been removed from Plaxo’s servers; synchronizing your data does not result in any message to incidate the deletion has taken place.) My verdict: This option is not transparent and only likely to be pursued by the more advanced user. It needs to be more clearly presented, the warning dialog needs to be rephrased (or preferably removed, since it tries to dissuade the user from selecting it) in the early stages of setting up data.

Plaxo make a couple of other points in this regard: You don’t have to Plaxo your whole address book, just those folders you want to. True, but within those folders — and for most users, that means their complete address book — there’s only two states: all stored at Plaxo, or none.

If I don’t use Plaxo, what can I do to avoid having my data stored at Plaxo?

First off, the issue is: How do I find out if Plaxo is storing my data? I wrote: “There’s no way for a non-user to tell whether your data is being stored at Plaxo unless you email all your contacts” to which Plaxo adds: “Well I suppose this is only partially incorrect.  This statement is true regardless of Plaxo – there is no way for anyone to tell whether your data exists in someone elses address book.” 

The only ‘incorrect’ bit of the statement I can find in Plaxo’s answer is this: You could also find out whether your data is being stored at Plaxo if you receive an update request from someone who uses Plaxo. Plaxo’s Stacy Martin says, “Personally, I feel this is one of the benefits to receiving Update Requests from Plaxo members.  The Update Requests at least tells me who maintains my information.  It gives me cause to follow up with the person to request the remove my information if I desire (as you mentioned, we also provide this as a courtesy to make that request on your behalf).”

Once again, I’m not sure this is a plus. It comes down to what many users see as the intrusiveness of Plaxo. If you have to respond to an email to opt out of something — either by creating a fake contact, sending an email to your friend requesting they delete you from their contact list, or asking Plaxo to do it for you — then you have, in the eyes of many, abused their privacy. Many users have complained to me about receiving dozens of these ‘update’ requests, which are sent very, very easily from an unschooled Plaxo user. So any argument that posits these updates are a benefit is not going to be a popular argument, since it requires the recipient to take action to avoid further requests: An intrusive form of spam if ever there was one.

More importantly, Plaxo does not contradict the basic idea here, namely that there’s no easy way to find out if Plaxo has your data, and there’s no easy way to remove it if they are. Stacy’s response is philosophical: do we control our own data anyway, and do we have the right to ask others to delete our data if they do choose to store it? Well yes, it’s true to a certain extent. Any Tom, Dick or Harry can have our email address in their address book, and if we’ve learned nothing from recent viruses, it’s that our email address can pop up in the oddest of places.

But while this may hold true in the cases of individuals, Plaxo is treading on dangerous ground by arguing the same with what is a commercial service. Users are extremely sensitive about their private information being held by companies, governments and institutions without their knowledge or consent. In the case of companies the issue is particularly sensitive, for two important reasons:

  • Companies have shown that they cannot be trusted to stick to their promises about not making commercial use of that information, by altering privacy policies, by transferring ownership of the data to a company that has not made the same commitments about the privacy of that data, or just by misleading the user. The short history of e-commerce has been a disastrous loss of trust on the part of the public in this issue. So while you may not care that much about an individual holding your data in their Outlook address book, if a corporation has that data on their servers is quite a different matter. Users do care, and companies that try to sidestep the matter face a hostile audience.
  • Secondly, security. Lodoga has proven that web servers with web access are not safe places. Their theoretical attack has been plugged, but there are likely to be many more. It’s not a useful argument to say that such attacks are limited, and have to be specific to be successful. That is not the point. The point is that if you store your address book on Plaxo you, and everyone in your address book, are vulnerable. So, while it’s true that your personal data is never completely safe — someone could steal someone’s PDA which happens to have your address data on, say — having that same data stored on Plaxo’s servers is a different matter. It’s there, and everyone knows it’s there. It’s a clear target for someone looking to leverage such data for a broader attack.

So, I have to conclude that answering the question with a philosophical discussion about ‘ownership of data’ is steering the reader away from the core issue: Plaxo is a well-known, well signposted store of data that is valuable to others, criminal or otherwise, and that data may include your own personal data, without you being able to a) find out and b) do much about it.

It’s good that Plaxo go to the trouble of answering such questions, and I hope this post takes the discussion further forward. I should once again point out for the record that I still use Plaxo, although I’ve now disabled the ‘web access’ component, meaning, I hope, that my data — and any of yours which I happen to have in my Outlook — is no longer on Plaxo’s servers.

Could Plaxo Be Phished?

(For more discussion, and expansion of some points in this posting, go here.)

For those folk already concerned about privacy with Plaxo’s contact updating service, this is not good news.

ZDNet reports that Plaxo has “plugged a serious security hole in its Web site on Monday that left its members’ contact lists vulnerable to be stolen, modified or deleted.” The security flaw, which was discovered by British-based Web application security company Lodoga, was reported to Plaxo on Monday evening. Lodoga’s security test engineer Jeremy Wood told ZDNet it took him less than an hour after discovering the weakness to build an attack script that could exploit the vulnerability. The attack uses a form of phishing — spoofing the website’s sign-on page to extract passwords — which could then be used to access their account.

Plaxo told ZDNet UK that the Web site was fixed a few hours after the problem was highlighted and was “fairly certain” that the vulnerability had not been exploited by anyone. There was no information about this on Plaxo’s website at the time of writing this, a few days after the event. (I think there should be. Their last piece of ‘news’ was on December 17 2003, about reaching the 1,000,000 user mark. Plaxo should, in my view, do a better job of informing its users of security issues, as much as about how many users it has signed up.) This is, needless to say, a bit scary. As ZDNet points out, Plaxo are almost certainly not alone in this vulnerability, but it’s absolutely crucial that they, and other companies that store user data, are ahead of the curve on security. Since a lot of phishing attacks are based on targeted social engineering  – figuring out enough about you so their lure is persuasive — the detailed kind of information about individuals stored on Plaxo’s servers would be gold to a phisher.

Which echoes the question raised by someone who posted a comment to one of my earlier Plaxo posts: What do you do if you don’t want one of your contacts to store all your contact details at a place like Plaxo? Well the short answer is you contact the person who is storing your details there, and ask them not to.  Alternatively, Plaxo says, we would be happy to make this request directly to a specific user on your behalf. (Here’s the relevant page on Plaxo’s website.) Plaxo says it cannot delete anything itself, because, among other things, this information remains private to the user. “In no event will we delete information from our users’ address books, regardless of whether that information is stored on a user’s home computer or contained in their Plaxo address book stored on our servers.”

 

This is fine — or more or less fine — if the data is secure. But that clearly wasn’t the case until Monday night. As Plaxo says: ”This information is protected with best practice security systems and is not accessible by anyone other than the owner of the information and anyone to whom that owner gives access.” So what does someone concerned about the security of their personal data do to stay out of Plaxo?

 

What some folk have done, and we’ve mentioned this before, is to either fill in a Plaxo auto-reply, which means you won’t get any future update request emails from Plaxo every time someone with you in their address book starts using Plaxo. Others will actually create a profile for themselves with only their name and their email address in (I’ve noticed a few Microsoft employees do this). This means they won’t be bugged to fill in all their other details.

 

But, and it’s an important but, it won’t prevent their personal data from being stored: If I store all Oliver’s personal details in Plaxo (and if I use Plaxo, I don’t have any choice about this, whether or not I decide to email Oliver and ask him to update his data) that information will be stored in Oliver’s contact details on Plaxo’s servers in addition to whatever data he adds. If he only gives me his email address, there’s still all his other contact details I’ve stored there, potentially up for grabs by a phisher. Remember, Plaxo automatically stores your whole Outlook address book on its servers, whether or not you decide to ping someone to update their details.

 

And there are other problems. There’s no way for a non-user to tell whether your data is being stored at Plaxo unless you email all your contacts — anyone, basically, who may have your email address in their Outlook address book, and ask them. As that is tantamount to spamming, you probably are going to think hard before doing that. And just because one person removes your data, doesn’t mean you’re clean. There are still all the other folk storing your data there, since none of these contacts is linked to another. As Plaxo itself points out, “Plaxo service does NOT create a public accessible directory — each user’s address book is unique, each user may have entered different information about individuals in their address book. We do not share information from one user’s address book with other users, and we do not attempt to cross-check the accuracy of the data in our users’ address books (e.g., there might be thousands of entries for “John Smith”, but no way to determine whether these entries refer to the same person, etc.).” Bottom line: Unless you’re actually a Plaxo member, Plaxo may have duplicated your contact details a dozen times over.

 

I’m going to invite Plaxo to comment on this post, and will post their thoughts. But in this age of phishing data security has got to be top of the list of Plaxo’s concerns. It’d be good to hear that from them.

 

 

How To Avoid MessageTag

I’ve noticed some readers of this blog are looking for ways to avoid MessageTag (or MSGTAG) a service which adds a glob of code to emails to alert the sender as to when the recipient opens it. I asked the folks at MessageTag to talk us through this, so here’s what they sent (all this is from MSGTAG, not me, although I’ve added the questions, and I’d point out that I’m still a MSGTAG user, and have so far had only one request for me not to use it in emails to that person):
 
How does MSGTAG work?
 
MSGTAG’s modus operandi is based on an HTML image reference. Image references are often included in things like HTML newsletters.

When you use MSGTAG the email goes through the MSGTAG desktop application on its way to your usual SMTP server (typically provided by your ISP). The MSGTAG desktop application acts as an SMTP proxy, passing the email on unchanged except for the addition of an HTML image reference. The image reference includes a unique ID. When the email is received, the recipient’s email client sees the image reference and requests the image from the MSGTAG web server so that it can be displayed in the email. Usually the image is invisible because it is only 1 x 1 pixel in size.

The MSGTAG web server sends back a standard image and makes a note of the unique ID and the time that it was requested. The server then associates that ID with a specific user and email. It then sends the user a receipt notification email.

 
MSGTAG tells the sender only the time a message was first opened. It doesn’t provide the sender with the IP address or geographical location of their recipients, nor does it embed tags into attachments to track forwarding or printing behavior. We don’t plan to implement any of these features because we think they promote privacy invasion.
 

I don’t like it. How do I make sure no one MSGTAGs me?

 

We’re aware that not all Internet users wish to receive MSGTAG tagged emails. That’s why we implemented the contact settings in MSGTAG Status which allow the user to automatically disable tagging for certain recipients who have asked not to be tagged.

 

Furthermore, we respect the decision of people who use technology to prevent MSGTAG tags from being triggered.
 
The following methods all allow you to read a message without triggering the MSGTAG tag:
  • a text-only mail client (hardly anybody uses these)
  • a mail client that enables the user to block external HTML images (these are becoming more popular as a countermeasure to spammers using 1×1 images to verify email addresses)
  • a firewall that stops the email client from requesting the MSGTAG image from the MSGTAG web server
  • a spam filter like Mailwasher that enables the recipient to preview the message on their mail server without downloading it into their HTML mail client. N.B.  Mailwasher is a product of Firetrust, a client of eCOSM, who developed MSGTAG for Fisher Young Group. In case you’re wondering, Mailwasher came first and this shouldn’t be construed as ’selling both the disease and the cure’. 
The simplest way for a recipient to block MSGTAG tags is to set their mail client to block external HTML images when they read their emails. This means they will be missing out on a lot of images in email newsletters, but it’s probably a small price to pay.

More On Plaxo, Privacy and Opting Out

This is likely to be the last exchange on Plaxo: Hopefully some of the issues that have concerned me and readers have been cleared up by this and other recent posts.

Plaxo have kindly added a comment in reply to my posting on how to avoid Plaxo, in which they’ve pointed out that they have added an opt-out feature, meaning that instead of receiving endless ‘reminders’ to update your contacts from users, you can avoid either specific or all such requests via a link in the update email. (This link takes you to a page offering three options: Blocking all update requests from that person, using an auto-reply feature I mentioned in the previous posting, or a ‘permanent opt-out’.)

This is good news, and thanks for pointing this out. Plaxo says in the comment, ”It’s right there in every Update Request sent and has been provided by Plaxo for some time now.” However, I’ve gone back through Plaxo updates requests and readers’ mail on the issue and can only find Plaxo update requests sent to me in December to have included this feature. Unless I’m mistaken, prior to that there was no readily obvious way to opt out, and I have received complaints as recently as October of readers receiving multiple update requests with no visible method of avoiding future ones. (The webpage that refers to this feature does not indicate when the option was added, but says the page was updated on December 23.) In emailed responses to questions, Plaxo’s Stacy Martin says this opt-out became a standard option in November.

I accept that Plaxo now makes it easier to non-users to opt out of future requests, and I can readily understand that it’s difficult to find the right balance. On the one hand you don’t want to bug people who don’t want to be bugged; on the other, the only way to do this is for those who want to opt out to register all their known email addresses with Plaxo, since the company has chosen to use email addresses as the best way to recognise and store individual records. If users want to opt out, some sort of record needs to be kept of their wanting to opt out, in the same way a spammer is (supposedly) bound to keep a record of people who don’t want to receive more spam from them.

That said, this opt-out feature could be easier to find on the Plaxo website. It’s not mentioned on the front page, as far as I can see. On the support page linked by Plaxo’s Trust Officer I could find no mention of it, or direct link there. It was not on the page of frequently asked questions. You can find information about the opt-out feature by, among other possible ways, typing in ‘opt-out’ or ‘optout’ into the search support box selecting either in the ‘all search topics’ option or the ‘Information for IT departments’ option. Performing the same search in the (more logical, in my view) ‘Troubleshooting’ or ‘Security and Privacy’ categories will not provide this link — except tangentially, for example at the bottom of one page referring to the question ‘Does Plaxo send spam to my contacts?‘. (Plaxo’s Martin demurs, saying “In looking at the traffic flow on our web site, we’ve found the large number of users looking for assistance go straight to using the search within the Help Center and search on all topics rather than browsing around or searching on a subset of topics… Searching for “opt-out”, “stop”, “opt”, “no mail”, “out”, “optout” all provide users the proper information on how to stop receiving update requests.”)

Finally, if you’ve made it to the opt-out page – or clicked on the opt-out link provided in the update requests I mentioned at the start — you’ll be warned against using this feature. Click on the link in an email and you’ll be told ‘If you choose this option, friends and contacts with important update e-mails will no longer be able to contact you using Plaxo’. On the opt-out page itself, you’ll be told, in bold:  ’Note that by permanently opting-out, friends and business associates can no longer request your latest information or send you their latest contact information’.

I find the wording of both messages somewhat alarmist to the casual user: Both seem to suggest that somehow people will not be able to contact anyone who accepts this option. I believe the wording could be better constructed to make clear that accepting this option is ONLY going to remove them from future Plaxo emails and not have any more disastrous impact on their social, business or family life. If someone has gotten this far to opting out, I think Plaxo have probably lost them as a potential customer and they should give up gracefully.

All this said, and despite some residual concerns about Plaxo’s practices, I remain a Plaxo user and have, on balance, found it to be very useful. It appears that Plaxo has been responsive to user concerns and tried to hone its approach. But there’s clearly some ways to go, and, at least on the opt-out issue, I think Plaxo could be clearer, by at least

  • posting a link on the home page,
  • marking it clearly on the support page and
  • by avoiding language on the opt-out page itself that may confuse or deter the casual user.

Plaxo’s Martin says they’ve already made some changes to accomodate these suggestions, which I emailed to her before posting here. It’s good to see that they are responsive to these and other concerns: Another feature that bugged readers, if my mailbag is anything to go by, was the way Plaxo kept a record of how many update requests were sent to any non-user, even if they weren’t from the same source. This kind of intrusiveness raised hackles, understandably, in that Plaxo appeared to be targetting prospective users and keeping tabs on them. Stacy says this feature was dropped last November.

How To Avoid Plaxo

Plaxo, the automated contact updating service, have responded to my last posting (see the comment at the bottom). I don’t think we need to go there any more. Bottom line: At present Plaxo exerts a high degree of access to your address book, and you may want to think carefully before you sign up about whether you want that. That said, Plaxo is a very useful tool, and they seem to be receptive to the idea that some things need to be improved.

For those of you who don’t want Plaxo, and are tired of getting requests from people to join up, here are two solutions from a reader:

  • When you get your first Plaxo update email from someone, set up an account with ‘fake’ info, and then edit your ‘card’ and click the ‘register your old e-mail addresses with Plaxo’ link. Put all your email addresses that other people might have there. Then anytime someone requests an update, they’ll get your fake card — with the right email addresses, but nothing more — back. And you won’t hear from them again.
  • When you get your first Plaxo update email, don’t sign up but go to this link. Fill in the ‘auto-reply’ form and put in some fake info. “This,” the reader says, “appears to have the same effect. The problem is once you register an email address in Method 1, you can’t use that email address in Method 2.”

The good news: “Either method ensures noone bugs you ever again for the email addresses that you have registered.” Ingenious.

The bad news: “I really dislike the fact that you can’t tell Plaxo to remove your email address from their system completely and forever. They will keep it on their database. This probably breaches the Privacy Acts of some jurisdictions.” Fair point.

I certainly know of many friends who have been deeply annoyed by multiple requests from Plaxo users, and these methods offer a good workaround. But perhaps Plaxo should consider a way for users to ‘opt out’ of the whole Plaxo thing, without having to spoof as this reader does, since this spoofing doesn’t help anybody: The fake information is a nuisance for the recipient, a waste of time for the spoofer, and a waste of space for the Plaxo records. And it still requires Plaxo holding some user data (the email addresses) which clearly offends some folk.

Back to you, Plaxo, for comments?

In Plaxo-land, There’s Still Some Confusion

This Plaxo issue is confusing. But it’s still worrying.
 
Here’s the story so far: Plaxo is a way to keep your contacts up to date, and it works well and simply. But privacy has been an issue: Can you trust a company to keep your personal data — not just your own details, but all your contacts who also use Plaxo — safe? Plaxo have been quite convincing about this issue, which is why I and a lot of other people use the service: More than a million, according to their website.
 
But here’s the tricky bit: In recent months I’ve noticed that some contacts have been updating themselves in my address book without me giving them permission to do so — or even requesting it. The responses I’ve received from Plaxo have been of the kind you can see in the comments on one of my recent postings about this, namely, that can’t happen, it must be a user (i.e. my) error.
 
Now I’ve got a more complete, and complicated response from Stacy Martin, Plaxo Trust Officer. Stacy’s gone to some trouble to answer my complaint, and readily acknowledges the system isn’t perfect. And I accept that my earlier fear — that people I have never met, or put in my address book, may be adding their contacts — is unfounded.
 
But, without wanting to be difficult, I’m still not satisifed. The problem is this: Plaxo doesn’t just handle the contacts you assign to be updated via Plaxo, it accesses — and can alter, without your approval — your whole address book.
 
It’s complicated, but to try to boil down the argument I’ve paraphrased. I hope I’ve done it correctly: Plaxo, Stacy says, can only UPDATE entries that already exist in your Outlook/Outlook Express address book. It cannot ADD new entries unless you approve the action. This automatic update can occur in one of two ways:
  • If you and someone else have both agreed to allow update requests, or
  • Your address book contains at least the e-mail address of another Plaxo member who has granted other Plaxo members access to his information contained on one or both of his cards.
It’s this second one that is causing the problem. It sounds complicated, I know, but it comes down to this: If you have in your Outlook or Outlook Express address book anyone who is also a member of the Plaxo network, whether or not you request it, that person’s contacts will automatically update themselves in your address book. This leads, as you may imagine, to some surprising results:
  • All the people in your address book — automatically added by you manually, your email program (Outlook versions prior to 2002 had this feature), or any other program interacting with your address book — can now be altered remotely by those people, so long as they are Plaxo subscribers (In one case a contact was not only altered but the name given to that person — his actual name — was altered, making him, er, hard to locate);
  • This appears to override your original settings, that is, the list of people you requested updates from when you first configured the program.

In short, with Plaxo you’re no longer in control of your address book. Signing up to Plaxo means your whole address book is accessible by Plaxo (and presumably stored on their server, not just those contacts you’ve chosen to update via their service).

Stacy readily accepts some of this is confusing, and says we feel there is much more work we can do on our end to make this action more clear and understandable as to not alarm the member. Hopefully, future versions of Plaxo Contacts will make this more evident.”

That’s a start. Here’s my tupennies’ worth:

  • I think other Plaxo users would be as surprised as I to find out that Plaxo has a complete record of, or access to, our address book, whether or not we submitted all those contacts to Plaxo initially, and
  • that as a result people we have not contacted have updated themselves in our address book, without our permission.
  • How does Plaxo ’synchronise’ our contacts? Is this done only with those contacts marked as ones we have agreed to update via Plaxo, or is it all of them?
  • What about the embarrassment quotient? What happens, for example, to contacts we have at some point deleted from our Outlook address book? Is this information — the deletion — passed onto onto the Plaxo-fied contact?

The bottom line here is, in my view, that Plaxo have got to give much greater control to the user as to who and what is updated in the address book. My assumption was always that those people we’ve not selected to update via Plaxo would not be updated, or even accessed, by Plaxo. And to me the logical idea would be that if that did happen, we would get the chance to scotch such updates and sever contact with that person if we so desired. I’m relieved to know that Plaxo folk aren’t able to add themselves to my address book without my sayso, but I still believe there’s a lack of user control over who gets to update what.

Plaxo is a great concept, and a good service, but it must abide by its own promises, like this one: ”At all times, members of the Plaxo Contacts service control how their information is used and with whom it is shared.”

More On Plaxo

Further to my outburst about Plaxo, and the suggestion that people you don’t know can add their contacts to your Outlook address book without your permission, I’m pleased to see that someone from Plaxo has added their comments (at the bottom of that posting).

I’ve also received a more detailed response from someone in Plaxo’s privacy department, which I shall go through and summarise in a later posting. Suffice to say I’m not yet convinced of the argument that it’s a simple question of the user’s (i.e. my) error. I’ll explain later; it’s not a simple issue. But thanks, Rikk, for taking the trouble to add your comments.

Is Plaxo A Namecard Spammer?

What gives at Plaxo?

I’ve decided to stop recommending what seemed to be a pretty good way to stay up to date with contacts after a series of weird incidents when folk unknown to me were somehow able to add their contacts into my Outlook address book without my say-so (today’s was someone from a PR company I’ve had dealings with before, but never, to my knowledge, with this person).

I’ve raised this issue before and have waited for more than two months for word from Plaxo about the matter, so they’re off my Christmas card list and, until they can explain what’s going on, and, if required, fix this I don’t recommend anyone else use it. Plaxo is a good idea, but the privacy concerns about it all have scared people right from the start. This latest hole — where, apparently, anyone can spam their way into your address book, along with comments like “Winner of the PR Week Asia ‘New Consultancy of the Year’ award for 2001″ — isn’t going to put minds at ease.

Until then, I’m forced to ask:

  • How do people I don’t know know that I’m on Plaxo?
  • How can they automatically add their contact details to my Outlook address book without me approving it?
  • Is this how Plaxo is making its money? Charging some folk to spam possible clients with their namecard?

Looking forward to getting some answers on this, which I’ll pass along to the blog.

CD-Rom Business Cards. Huh?

I know I may be missing something here, but what is this all about business cards on a CD Rom? Newsweek reports increased sales of these things — either full size or credit card sized and shaped — which people hand out at trade shows: “General consensus in the biz world: why spring for color brochures at $5 a pop when CD cards average a buck each? For much more cash—$3,000—New York’s HYLife Productions can squeeze up to eight minutes of video on its cards.”

I have to say I have enough problems with real business cards that aren’t the right shape or where the text is the wrong way up. Out here in Asia these small CD sized name cards came and went — at least in my line of work — a few years back, and I’m pretty sorry to hear that they may be making a comeback. First off, how exactly is 100 MB of Flash really going to help? And if the ones I received are anything to go by, folk would usually jazz up even the most basic contact details with fancy graphics so you could forget about simply copying and pasting the salient details into Outlook. Sorry but I’d rather the guy say ‘Here’s my name card but I’ll email you my vCard”. Or “Are you all Bluetoothed up? Let me beam it to you now.” Or, if you like the guy and want to make a firm commitment, ask him: “Are you on Plaxo?”

Sure, I can understand the use of CD-Roms to hand out data about reunions, parties and whatnot, but most folk who would know what to do with that sort of thing are wired, so why not email it to them? I already have way too many CD-Roms in my den; the last thing I want is funny shaped ones to add to them.

The Virtual World Gets Surprisingly Lifelike

The Sims Online – an Internet-only world where ordinary folk can take on another persona and interact with other folk virtually — seems to be exhibiting all the signs of the real world, with a twist. Salon carries an article about a Sims community called Alphaville, and some of its citizens, including an academic called Urizenus (in real life, Michigan philosophy professor Peter Ludlow), a young man (or, possibly, a boy) called Evangeline, allegations of extortion, and the possible existence of a virtual brothel.

The story is well worth a read (subscription or day pass only), if only for the moral responsibilities a corporation running a community may have. If someone opens a virtual brothel for online folk to indulge in a little cyber-sex, is the company managing that world — in this case Electronic Arts — guilty of prostitution? And what happens if there’s evidence the ‘madam’ of that brothel, and some of its employees, are underage? And then, exploring the matter further, is Electronic Arts guilty of censorship by terminating the account of the academic who chronicled such allegations in his online newspaper, Alphaville Herald? And if there’s (ultimately) real money involved, should the police be called in to this virtual world?

I’m not surprised a philosophy professor is interested in these kind of issues. Going back to the early days of the Internet, the virtual world has a habit of impinging on the real. In that sense there’s nothing different between real estate and virtual estate. If humans interact on it, it’s turf and it needs to be policed. It will be interesting to see how EA handle this case, and whether they start patrolling their creation more thoroughly. And if they do, will it cease to be economically viable?

More discussion on this on Slashdot. Here’s an ‘interview’ by Ludlow with Evangeline (parental discretion advised, via Boing Boing Blog)