Tag Archives: Plaxo

Why Social Network Sites May Fail

Look at a social networking site lie Yaari and you can see where the social networking phenomenon may fail, simply by abusing the trust of its users.

Sites like LinkedIn, Plaxo etc rely on expanding quickly by offering a useful service: trawling your address book to find friends and contacts who use the same service. We’ve gotten used to this, and it’s a great way to build a network quickly if you sign up for a new service.

But any service that uses this needs to stress privacy, and put control in the hands of users. Plaxo learned this a few years back. Spam a user’s contact list without them realising and you invite a firestorm of opprobrium on your head.

But surprisingly some services still do it. And in so doing they risk alienating users from what makes Web 2.0 tick: the easy meshing of networks—your address book, your Facebook buddies, your LinkedIn network—to make online useful.

Take Yaari, a network built by two Stanford grads which has for the past two years abused the basic tenets of privacy in an effort to build scale.

What happens is this.

You’ll receive an email from a contact:


It’s an invitation from a “friend” which

  • gives you no way to check out the site without signing up. The only two links (apart from an abuse reporting email address at the bottom) take you to the signup page.
  • neither link allows you to check out your “friend”  and his details before you sign up.

If you do go to the sign up page you’ll be asked to give your name and email address:


Below the email address is the reassuring message:

Your email is private and will stay that way.

But scroll down to below the create my account button and you’ll see this:

By registering for Yaari and agreeing to the Terms of Use, you authorize Yaari to send an email notification to all the contacts listed in the address book of the email address you provide during registration. The email will notify your friends that you have registered for Yaari and will encourage them to register for the site. Yaari will never store your email password or login to your email account without your consent. If you do not want Yaari to send an email notification to your email contacts, do not register for Yaari.

In short, by signing up for Yaari you’ve committed yourself, and all the people in your address book, to receiving spam from Yaari that appears to come from your email address. (Here’s the bit from the terms: “Invitation emails will be sent on member’s behalf, with the ‘from’ address set as member’s email address.”)

You should also expect to receive further spam from Yaari, according to the terms:


In other words, anyone signing up for Yaari is commiting both themselves and everyone else in their address book to receiving at least one item of spam from the company. Users complain that Yaari doesn’t stop at one email; it bombards address books with follow-up emails continually.

Needless to say, all this is pretty appalling. But what’s more surprising is that Yaari has been doing this for a while. I’ve trawled complaints from as far back as 2006. This despite the company being U.S.-based. I’m surprised the FTC hasn’t taken an interest.

So who’s behind the site? This article lists two U.S.-born Indians, Prerna Gupta and Parag Chordia, and quotes Gupta as saying, back in 2006, that to preserve the integrity of the network access is restricted to the right kind of Indian youth. I’m not young, I’m not Indian, and I’m probably not the right kind, so clearly that goal has been abandoned.

Here are some more details of the two founders.

Gupta, who is 26, is an economics major who graduated in 2005, was working for a venture capital firm in Silicon Valley called Summit Partners until 2005. Her facebook profile is here; her LinkedIn profile is here. According to this website she once won the Ms Asia Oklahoma pageant (her hometown is listed as Shawnee in Oklahoma, although she lives in Atlanta.

Chordia, chief technology officer at Yaari, has a PhD in computer music, and is currently assistant professor at the Georgia Institute of Technology, according to his LinkedIn profile. His facebook profile is here.

There’s a video of them here. An interview with Gupta last year indicates that they’re going hell for leather for size:

We are focused on growing our user base and becoming India’s largest social networking site within the next two years. Our goal for the next year is to become one of India’s Top 10 Internet destinations.

What’s interesting is that nearly every site that mentions Yaari and allows comments contains sometimes angry complaints from users. In that sense Web 2.0 is very effective in getting the word out. Unfortunately if Yaari and its founders continue to commit such egregious abuses of privacy, we can’t be sure many people will trust such websites long enough for the power of networking sites to be properly realised.

(I’ve sought comment from Gupta, which I’ll include in this post when received.)

Stoop to Congoo?

Is business networking site Congoo resorting to spam to build its user base? I suspect it is.

Congoo is on one hand a good idea — a place to gather and monitor content on your industry, including content that is usually subscription only (like WSJ.com, who publish my weekly Loose Wire column.) But it’s also a networking tool — indeed, its blurb emphasizes that over the content:


But I don’t like being spammed, and I think Congoo may be doing that. Of course, they’re not alone in being accused of spamming — the likes of Plaxo, Zorpia and other networking services make it overly easy for a new recruit to send an email blast to everyone in their address book without them realizing it. To me that’s spam. Even Facebook isn’t entirely blameless: Add any application to your profile and you’re usually within a whisker of spamming all your friends unless you’re alert and scout around for the “skip” button.

But Congoo seems to be taking a different, and in a way more openly spammy, approach. It’s emailing non-subscribers — apparently at random — inviting them to join the network — with no apparent invitation from an existing user, or even a personalized email to indicate the recipient is being chosen for a specific reason. Here’s part of what I got this morning, from someone called Rebecca Simpson, identified as “Manager Network Development”:

We would like to formally invite you to add your professional profile on Congoo. You may recognize many of the professionals already featured:  Media & Advertising  Healthcare  Internet Finance Technology  Politics  & Law

Rebecca’s Congoo profile says she has “specialized in working with press and media outlets to distribute information. I have also organized and executed guerilla marketing campaigns as well as developed proprietary systems and methods for measuring ROI on Web buzz.”

That may be so, but frankly I’m not impressed at this particular pitch. No attempt is being made to categorize me, as I’ve shown only an amateur’s interest in healthcare, and my grasp of law goes no further than thinking ‘tort’ must be in some way related to the word ‘retort’. And I’ve had no prior dealings with Congoo that I can recall aside from several pitches from their (somewhat, er, insistent) PR company, whose own contact database could do with some consolidating.

It appears I’m not alone in thinking this might be a bit too spammy to be decent business practice. The net-abuse mailing list last week collected four examples of an identical message from one Heather Faulkner, who also happens to carry the title of “Manager Network Development” (how many managers of one department are you allowed? I’m not really up to date on that kind of thing), while the spam manager at AKBK Home captured more than 50 in a few hours.

And then there’s Congoo’s own policy on spam, of which this seems itself to be a transgression:

Congoo is concerned about controlling unsolicited commercial e-mail, or “spam.” Congoo has a strict policy prohibiting the use of all Congoo mail accounts to send spam.

I’ve asked Congoo for more information on this, and on their policy about emailing people. At best, I’ve got it all wrong and it’s all a big mistake. At worst, it’s a pretty poor display of a networking site trying to build its base through tactics that make it little different to those of a Viagra salesman. Times may be tough amidst the runaway success of something like Facebook, and the critical mass of LinkedIn, but stoop low and there’s no way back to standing straight.

Plaxo Drops the “Hi, I’m updating my address book” Email

Plaxo is dropping the “Hi, I’m updating my address book. Please take a moment to update your latest contact information…” email which has, over the past three years, raised more than a few hackles. (What is a hackle? And can they ever be in any other state than raised?) Anyway, people (including myself) have objected to the rather cavalier way that Plaxo software would send these update requests out to people. Writes Tom, one of the founders, on the Plaxo blog:

Obviously, a lot of people loved this feature, but some people did not. Journalists, A-list bloggers, and anyone else who is known by more people than they know were inundated with requests. We quickly responded by adding opt-out and throttling features, but we’ve always known that the update requests were a means to an end — our goal has always been to get as many members as possible so that these e-mails were unnecessary. And it looks like we’re finally getting to that end.

Plaxo now say that’s not going to happen anymore, because there’s no need:

As of last week, we’ve past 10 million members. We are now growing at over 50,000 users a day. Due to this great growth, the depth of our network, plus our heartfelt desire to be good net citizens, we have started phasing out update requests.

This feature will probably always exist in some form, but we are no longer aggressively pushing new users to send out e-mails and are adding restrictions to prevent existing users from sending out large batches. Within the next six months (allowing for releases and upgrades to our base), you should see these messages drop to a trickle.

This is good news. I wonder, though, about the 10 million members thing. After resuming my Plaxo account the other day I got the distinct impression that a) there were quite a few new members from among my contacts on Plaxo but not a massive amount and that b) a lot of those members were not actively updating their contacts. Indeed, it’s not clear to me how one can tell whether an account is dormant, and if so, whether the information that is being updated to your contact list is current or not. (I guess in some ways this may actually reduce the effectiveness of Plaxo, in that your updated contact details for a person may be overwritten by those in a long dormant Plaxo account.) (I just asked Stacy Martin, Plaxo’s longsuffering and patient privacy officer, and he suggests users who no longer update their Plaxo account delete by going here. )

Anymore, I don’t want to be churlish. It’s good news that Plaxo is phasing out those emails. I can understand their predicament; the product’s usefulness grows the larger the more people use it, so the emails were an important part of spreading the word. Trouble was, some folk found it irritating. Hackle-raising irritating.

Plaxo Moves Into Macland

Plaxo, the software and service that lets you update your contact details with others — and lets them update theirs with you — automatically, is now available for Mac. A press release issued today (thanks, Joseph) says the move “represents a major step toward the company’s vision to offer the first truly universal personal contact management service, accessible on any platform, email client, browser, or mobile device.”

This is an interesting way of putting it. Plaxo has weathered the criticism about privacy concerns — some of them from this humble blog, despite my support for the service as a whole — to expand beyond Microsoft Outlook to America Online, Mozilla Thunderbird, and Outlook Express. Users can also import contacts from their Netscape, Palm, Yahoo! Mail, and Hotmail accounts.

Like a lot of folk I’m torn over a service like this. On the one hand I can see the obvious benefits: Who better to update the contacts in your address book than the contacts themselves? But on the other hand, how many of the contacts in your address book would be happy that the information is being stored on some company server somewhere, without their knowledge or consent? Then again, that last sentence looks less problematic than it did a year or so back. We’ve heard so many cautionary tales about private data getting lost, stolen or abused maybe we think this kind of thing isn’t important. Now, perhaps, we realise that Plaxo is not really the problem here. The problem lies in those companies deliberating collecting data on individuals, whether they’re ordinary Joes like you and me, or members of the CIA, as the Chicago Tribune recently discovered by searching a commercial online data service.

But I’m not sure that’s the case. The bottom line is complex: We should be as careful with other people’s data as we are with our own. If we don’t want a company to keep details of us we shouldn’t keep details of other people online. Of course, this refers as much to any web-based application or storage tool or networking site.

technorati tags: , ,

Plaxo, Privacy and ‘Suspicious Behavior’

It seems that there’s renewed interest in Plaxo, the contact sharing service that has attracted attention both for its inventiveness and its privacy implications. First off, a reader from France, Vincent Prêtet, wrote in comments to a previous post that

Plaxo is an amazing great tool to manage an adressbook. I use it since a few months and I am really happy of doing so. However, in France too the use of Plaxo gives rise to a real debate: is Plaxo’s system and are Plaxo’s users respecting the Laws as far as individual rights are concerned.

An EU-law (directive) goes as far as writing that nobody is allowed to transmit “personal data” like contacts of an addressbook to a Third without having first noticed each of the contacts.

Vincent asks whether any similar case being made in the U.S. He’s also started his own blog on the subject (in French).

Another reader has sent in a screen capture from Zone Alarm that seems to indicate Plaxo “does much more than just collecting personal info”:


I’ve asked Zone Labs about this message, who offer the following:

Yes, it does appear to be one of our alerts. The “Enables Plaxo to Securely Integrate with Outlook Express” is probably the name of Plaxo’s process that that triggered the alert. The rest of the copy is the standard message for all “suspicious” alerts. The idea is to let consumers know when a process is occurring that we believe can have security ramifications and let them choose to move forward or not. One of our primary goals is to make sure people have control over what installs on their PC.

Let me know if you’d like me to check with our security team on Plaxo specifically, but typically with the OSFirewall we aren’t looking so much at specific programs, more at the actual behavior of a process (at a glace, I suspect any program that tries to integrate with Outlook that we don’t have specifically whitelisted would trigger the same alert).

At first glance, then, it looks suspicious. But on closer inspection I feel this is more a case of Zone Alarm being a bit too alarmist, or at least not building up a decent database of programs it can whitelist. Plaxo is not exactly a new kid on the block, and although I have my reservations about what Plaxo does, I’m not sure it’s tracking keystrokes, mouse movements or other ‘user behavior’.

Doubtless Stacey, Plaxo’s privacy officer, will weight in shortly on this!

The Unintentional Narcissism of Plaxo

Plaxo is beginning to irritate people again. Now it’s David Weinberger, who is back to hating Plaxo:

Today I hate it again. I got an update notice from someone and noticed that my own info was out of date. So I took the seemingly innocuous step of updating my phone number.

Lo and behold, Plaxo apparently took that as a command to send mail to everyone in my address book (actually, I don’t know whose address book) that I have new info that they simply must attend to. I am, I seem, an inadvertent Plaxo spammer and unintentional narcissist.

What’s interesting here is the thread that follows: The tireless Stacy Martin, Plaxo’s privacy officer, jumps into the fray to try to explain what has happened. I don’t envy Stacy’s job: While Plaxo may not mean to be intrusive, and in David’s case didn’t behave quite as badly as he’d originally suspected, it clearly hasn’t fully addressed the issues that were irritating users two years ago.

The crucial thing here, I think, is not so much privacy of data as giving the user full control over how they present themselves to others. I get several requests from Plaxo users every month, and I ignore all of them. But how many of those requests are sent with the full knowledge and understanding of the user? Not many, I suspect. These folk’s public image — how they appear to all their contacts — is being largely determined by a piece of software.

Pretty much everyone is going to have in their contact database a range of folk from close friends to important sources you’re careful not to overburden with casual contact. What you don’t want a contact updater to be doing is to start sending out emails on your behalf without you being in full and easily comprehensible control. If someone like David can’t figure out the process and ends up feeling like an “unintentional narcissist”, what chance do the rest of us have?

Plaxo Etiquette: Moral High Ground Or Cheap Stunt?

Plaxo, the online contacts exchange that got some good, and bad, press two years back, is trying to brush up its members’ manners with some Plaxo Etiquette:

Each and every new technology has a learning curve as we figure out how to use it, and use it well. Remember when you’d frequently see people talking on their cell phone in a restaurant, or in the movie theater? And how many of those forwarded blonde or lawyer jokes were really funny?

Plaxo is committed to helping you become a better member of the digital world. Below you’ll find a few tips and suggestions on how to make the best use of Plaxo.

Not bad stuff, although some cynics might say it’s a few years too late. After all, one of the problems that its critics cited was the ease with which users could spam everyone in their Outlook address book, not considered a particularly polite thing to do in any community.

I’m not going to be cheap. It’s good that Plaxo is doing this, late or not. I did, however, feel the PR pitch that accompanied the announcement was a bit overly precious:

Plaxo, provider of an Internet service for updating and accessing contact information, is committed to helping its users be better members of the digital world. The company recently introduced Plaxo Etiquette (http://www.plaxo.com/privacy/manners) to guide members in the proper way to use the technology from the get-go. We challenge other providers of prevalent technologies to do the same.

Cynics, once again, might say that Plaxo was part of the address book spamming lapse in etiquette to start with two years ago, so suggesting it’s suddenly ‘committed to helping its users be better members of the digital world’ and that it feels it occupies such moral high ground it can ‘challenge other providers of prevalent technologies to do the same’ might be considered somewhat rich. I wouldn’t say that, of course; nor would I suggest this is a self-serving piece of publicity to raise the profile of a service that hasn’t been heard of — at least in a positive light — very much in recent months. (A keyword search for Plaxo of Google News throws up three references to the dangers associated with Plaxo and phishing, one to Plaxo and privacy and nine neutral references in passing.)

Another Plaxo?

Judith Meskill at the socialsoftware blog points out that BusinessWeek Online is Gaga over Bebo and wonders:

Is there something I am missing here? How is Bebo.com different than Plaxo.com? The service that so very many have grown to love to hate? Why would we all fall in love with Bebo whilst loathing Plaxo?

I haven’t really tried bebo yet, but from what I can see it doesn’t look that different to what Plaxo was doing. As Judith also points out, no one is quite sure whether Plaxo is the personification of evil or a darned good thing, though last time I looked I felt there were some serious privacy issues that had yet to be addressed. Maybe they have been; that was more than a year ago.

I notice that Plaxo now has nearly 5.5 million members and 1.2 billion [sic] ‘connected contacts’. (They passed 5 million in late January.) That’s a lot of people, even if you factor in the duplicates (since Plaxo doesn’t weed or match contacts — if you’ve got a Joe Bloggs and I’ve got a Joe Bloggs in our address book, that’s two Joe Bloggs even if they’re the same guy.)

Also I notice that Plaxo has a revised privacy policy, including the important one:
You maintain ownership rights to Your Information, even if there is a business transition or policy change. Sounds like they’ve listened to people. I’ll try to take a closer look at this issue again in coming weeks. Thoughts as always very welcome.

ZeroDegrees Responds

Further to my ZeroDegrees debacle, in which I succeeded in spamming 2,000 people in my contact book with barely a click, here’s a response from ZeroDegrees‘ Jas Dhillon, CEO and president of the company, and Mark Jeffrey, VP of Product, to my questions. I’ve edited a little for length.

How is it that even experienced users can be duped into sending invitations to their whole address book? Why is there no confirmation option, or chance to select who they include?

We don’t force you to invite any of your contacts if you don’t want to. If you want to selectively invite your contacts you can click on the “Not Now” button, login to the web application and selective invite your contacts to join ZeroDegrees and become part of your “friends network.” We do provide a customization button where you can accomplish exactly what you requested. The customization button is on the lower left hand corner of the “build my network” box. After clicking the button, you can manually select contacts from your list that you do not want to send a ZeroDegrees invite to. It is that simple.

How does one remove one’s contacts from ZeroDegrees’ servers if one decides not to continue the service?

Just drop an email to customer care requesting that your name and contacts be removed from the ZeroDegrees server. This is done within 48 hours of receiving the request.

How does ZeroDegrees plan to make money from the service?

Stay tuned.

Sorry, but I don’t really think these answers are sufficient. The process to manually select contacts should be the default: It should be very, very hard for users to send emails to everyone in their address book, and it should be very, very easy for them to (a) know this is happening and (b) be able to stop it at any point. None of this is true in ZeroDegrees’ case. It does not sound “simple” to me, and I suspect it wouldn’t to the casual user.

Secondly, removing one’s contacts from ZeroDegrees’ servers should not involve sending an email to customer care or having any direct contact with the company. By definition someone wanting to remove their contacts from ZeroDegrees is probably wanting to minimise any contact. There should be a checkbox or some other prominent menu option that makes it easy for users to do this. This option should be part of the uninstall process, too, since it’s likely many folk uninstalling the program are those who want to unsubscribe from the service.

Lastly, not giving any clue about how the company intends to make money from the service is only going to add to suspicion about what ZeroDegrees plans to do with all the sensitive data it is collecting. The company should be upfront about this. None of these issues is new: We’ve been here before with Plaxo which has endured a battering from users concerned about privacy. Plaxo, at least, has responded to those concerns, and is stronger for it. The chances of ZeroDegrees avoiding that scrutiny, if it gains any traction at all, are slim.

Hoodwinked By Another Plaxo

Another embarrassing morning. Last night I tried out a new contacts/social networks program called ZeroDegrees, which promises to ‘connect you with the people you really need to reach through the people you already know’ etc etc. A sort of cross between Plaxo and LinkedIn.

The software installs into Outlook and one or two other email clients. It then mines your contact list, uploads it to ZeroDegrees’ server, while offering all sorts of reassurances that nothing will be sent out without your sayso (‘Your contacts are secure. They are always your private information and in your control. ZeroDegrees will never send email to your contacts (unless you invite them).’) Sounds like these guys have learned the three Plaxo Lessons: Privacy, security and privacy.

Er, no they haven’t. And neither have I. Click on the Outlook toolbar button called ZeroDegrees and you get one button ‘Build Your Network.’ Nothing more. Click on that and you get a synchronisation page. It’s not really clear what’s being synchronised but you’re told that still nothing is being sent out, so you should relax and watch the sliding bar.

Well, actually, don’t. You should be thinking of aborting, if you can. Next you get two buttons: ‘Email invitations’ and ‘Not now’. The first time around I tried ‘Not now’, thinking I might explore the program a bit more. But there’s really nothing else to explore so I went back and clicked ‘Email invitations’, thinking, like latter versions of Plaxo, you would get a chance to select who you invited. You don’t: Click that button and every contact in your address book will get spammed, sorry invited.

Of course, I only realised this after it had started doing so — and even then all you see is a bit of traffic in your firewall icon, nothing more. When my suspicions were aroused, I force-closed Outlook (no cancel button on ZeroDegrees) in the hope I had stopped the deluge of 2000 emails before it had started. No such luck.

This morning I wake up to dozens of automated responses, ‘do I know you?’ emails and quizzical missives from old contacts, flames, friends and assorted contacts politely asking me if I’m mad. Of course, it’s lovely to hear from these folk, but mortifying to have spammed them, tried to get them to sign up for something I didn’t really sign up for myself, and to have basically done all the things I’ve been preaching against. Sorry, everyone.

The lesson here: No one seems to have learned The Plaxo Lessons:

  • Tell the user what is happening;
  • Let the user choose who they spam, sorry invite;
  • Let the user stop what is happening if they don’t like it;
  • Don’t mislead the user.

Amen. Now I have to write apologies to dozens of people upset by the spamming (maybe that’s what they mean by ZeroDegrees, as in very, very frosty response from friends and contacts?) On the plus side, I can spend the rest of the morning swapping updates with some old chums I haven’t been in touch with for a while.

My advice: Don’t get ZeroDegreed.