social - Halte au Spam

Document Sample
social - Halte au Spam Powered By Docstoc
					Contributions - Reflections

                                                                                                                                  Paris, November 3rd 2003

Do social applications pose a threat?
By Frederic Aoun & Bruno Rasle, co-authors of the book “Halte au Spam” (éditions Eyrolles)
This contribution was presented at the “Spam Forum Paris” event, held on November 3rd 2003

                                      France is no longer spared by the Plaxo1 phenome-               The creator of a French start-up declares: “Plaxo is a
                                      non – the most representative application of a new              killer application for me. I have gathered more than 2,600
                                      breed of cooperative applications. Keeping an up-               contacts in the last few years. Plaxo allowed me to update my
                                      to-date address book, without too much effort is a              entire base in less than a week! It’s fabulous!”It is quite
                                      dream to most e-mail users. Plaxo contacts, by the              common to find quotes praising the application on
                                      start-up with the same name, solves the matter. The             related discussion forums: “Great Product. I have been
                                      tool automatically syncs and updates Outlook ad-                looking for something to keep my contact list up to date on
 Social applications are in           dress books. Its impressive success can be attributed           both my computer at home and at work. This product is
 vogue. This type of softwa-          to its viral marketing distribution scheme as well for          fantastic. I highly recommend it. Best of all it is free.”
 re is based on human rela-           it being free of charge. Upon installation of the
                                      plug-in, selected address books are duplicated and              Based in Mountain View, Plaxo is a typical Califor-
 tionships. Some examples             uploaded to servers at the California-based com-                nia star-up. Around twenty employees are under the
 are Plaxo’s service (allows          pany. Emails are then sent to all selected contacts             management of 23 year old Sean Parker2. The young
 for automatic updates of             asking them to correct and update their informa-                CEO comes from the Napster team. After manag-
 Outlook address books)               tion. The update request messages (figure 1) can be             ing to leverage 2 million dollars on the first round
 and Friendster (get to know          partially     custom-                                           of financing last year, the company has raised an
 your friends’ friends). Their        ized. Responses are
 impressive success can be            then automatically
 attributed to their viral mar-       processed in order
                                      to update users’
 keting distribution scheme
                                      address        books.
 as well for being free of            Users may also
 charge.                              visualize their con-
                                      tacts over the Inter-
 However, these applica-              net via a web inter-
 tions worry antispam devo-           face.
 tees. Are these fears justi-         Users who have
 fied?                                adopted Plaxo will
                                      be             called
 The objective of this docu-          “sponsors” along
 ment is to shed some light           this document. His
 on the way these applica-            correspondents,
 tions function and help              who appear as con-
                                      tacts in his address
 consumers make their choi-
                                      book, will be re-
 ces.                                 ferred      to     as
                                      Sponsorees       that
                                      have decided to use
                                      the application are
                                      said     to     have
                                      Plaxo      Contacts
                                      brings a simple
                                      solution to a com-
                                      plex problem. Ac-
                                      cording to the com-
                                      pany,        studies
                                      showed that in the United States, a third of email              Figure 1: Update email sent by Plaxo to sponsorees on behalf
                                      addresses changed every year. Users unanimously                  of the sponsor. Most of the text is in English and cannot be
                                      praise the application’s ergonomics and stability.                                                     translated into French.

                                                                     Frederic Aoun & Bruno Rasle (
Page 2

additional $8.5 million this summer. Expenses are limited to the mini-
mum: no advertising costs are incurred since the tool is promoted
virally by its adopters. Plaxo does not expect any short or mid term                                                       jean
revenues, its model has failed many times: conquer a client base with a
free offering and then try to make companies pay for the service. Will
they be able to pull it right this time? Only a few competitors are to be
found on the market niche, among them: GoodContacts and Addres-                                                                                               marie
“There is no free lunch”
But what is the economic model of a company that vows to keep Plaxo
Contacts free of charge and plans to propose a pay-for feature-enriched
“business edition” of the tool? In such a case the free version would                                               john
have permitted to validate the development as well as to capture inves-                                                                                           bernard
tors’ attention. The company has also announced a revenue source
from the sale of demographic data. Does this refer to ongoing research                                                       ana maria
on the theory of “six degrees of separation3”? Data mining analysis of
Plaxo’s base could partially answer many questions: How does informa-                                Figure 2: This diagram illustrates social networks managed by Plaxo. Users of
tion flow among a decentralized network, and in particular viruses? Can                                             the application are shown in red (sponsors and converted users).
social relations on the Internet be charted? How do these relations
evolve in time? It seems that several ongoing research projects at US
universities may be more suitable to find answers to these questions.                                which a telephone number was judged to be nominative data since it allows for
                                                                                                     the identification of its subscriber.” Thus every address database holder
The number of contacts held by Plaxo is undisclosed, but the growth
                                                                                                     is obliged to declare its lists to the French privacy authority
rate, according to one of Plaxo’s officers, is said to be exponential. The
lack of clarity of the business model was blatant during the launch of                               (CNIL) and respect a number of constraints. Particularly, indivi-
the service in November 2002. Plaxo’s founder would then dismiss all                                 duals must be informed – at the time of data collection – of the
questions with the same answer: “We think one of the most clever aspects of                          eventuality of a sale or transfer of the database to a third party.
what we're doing is the business model, but right now we're talking exclusively about                This potential transfer must have also been declared to the privacy
the product launch, not about the business model!” Doc Searls, senior editor at                      authority. Furthermore, a 1995 directive specifies that the sale of
Linux Journal4 was not convinced: “If they won't explain how they                                    personal information can only be performed if individuals are
intend to make money, one can only assume they intend to spend it,"                                  previously informed of that eventuality and are given the possibili-
Searls said. “The product looks like a new way to hire a company to annoy your                       ty to oppose it in a simple and free-of-charge-manner. For the
friends. It feels like spam. It's annoying, and I don't think there's a viable plan                  specific case of database export to a foreign state, specific res-
here.” Judging by the amount of candidates that rushed to the last fi-
                                                                                                     traints exist on a per-country basis (for the US, the European
nancing round5 it is likely that Plaxo was more articulate about its busi-
ness model then.                                                                                     Union has settled that companies which comply with the “safe
                                                                                                     harbour6” initiative ensure an adequate level of data protection).
Even in case Plaxo’s commitments are held, a few common sense                                        This been said, the recent position of the French privacy authority7
questions may be asked:                                                                              regarding the transfer of US-bound passenger data to the US cus-
      Can messages addressed to sponsorees be considered as spam?                                    toms service is interesting. In addition of violating French law’s
      Even under the light of the endless list of spam definitions it is                             principle of “diversion of objectives in data processing”, since the
      difficult to see the service’s update messages as such: the recipient’s                        data was initially collected for commercial purposes and not for
      address was collected in respect with French law by the sponsor.                               security ones, the French authority has expressed doubts over the
      The message is sent in a transparent manner without forged hea-                                level of privacy protection under which the data will be treated by
      ders. Recipients can easily refuse/return/filter such messages and                             the American authorities.
      may request their personal data to be erased from the sponsor’s                                But can an Outlook address book be considered as a personal
      database. Furthermore, update requests are personalized and sent                               information database – and therefore subject to declaration to the
      in limited numbers.                                                                            privacy authority? This suggestion may sound ridiculous for the
      Are these practices in accordance with US law? The opposite                                    address book of an individual with a couple dozen addresses, com-
      would be surprising. The fact that the service is limited to users                             posed mostly of friends and family. What about for the case of
      older than 13 is an indication that Plaxo has taken legal precau-                              professionals who manage address books of several hundred
      tions. In February 2003 two American companies were sentenced                                  contacts? French privacy law was amended in 1995 in order to
      to $85,000 and $100,000 fines by the FTC for not respecting                                    take under consideration technological progress, in particular the
      COPPA’s (Children’s Online Privacy Protection Act) guidelines.                                 widespread use of electronic mail. Personal address books were
                                                                                                     excluded from the scope of the law. However, we have intervie-
      Does the service respect French laws and in particular 1978’s                                  wed French Plaxo users who manage several thousand addresses-
      “Informatique et Libertés” legislation? Electronic addresses are                               long contact books – mostly professional contacts. Are these users
      considered as personal data in France. On this precise question the                            abiding by law? Only jurisprudence will tell.
      CNIL (French equivalent to the FTC) specifies: “The commission
      recurrently considers an email address to be nominative data, in a direct man-                 In addition, the approach is not at all in accordance with the
      ner if means of identification appear on the address, or indirectly since an email             French privacy authority’s opinion on sponsorship-based data
      address is always attributed (or read by) to a physical person. This position                  collection. On its last report8, the commission recalls that Internet
      was strengthened by the 1992 ruling by BREY’s correctional tribunal in                         users who wish to act as sponsors are to “get prior consent from

                                                              Frederic Aoun & Bruno Rasle (
                                                                                                                                                                     Page 3

their sponsorees, before their personal data is communicated to a
company with which they have no relationship”. Belgium decided
in March 2003 to forbid sponsorship altogether.
Since Plaxo states to not use its database in order to send promo-
tional mails, its procedures should not infringe on the future Euro-
pean antispam law. Plaxo’s founder replied to an attack regarding
this particular point in June 2003: “we are a software/services company,
not a direct marketing company. In fact, the raw contact data that passes
through our system without associated behavioural data is pretty worthless to                                                         Plaxo Inc.
marketers. If we were in the business of selling this kind of data then we would
not have a business at all. In case your readers are still not convinced I urge                                                           sniff

them to head down to their local software retailer where they can pick up a few


million addresses on CDROM for around $30.” Does Mr Parker                                                                                    Spammer
confuse spammers and direct marketing professionals? In any case
the response we got from Plaxo was very clear: “We do not sell or
exchange anyone’s contact information with third parties, and we believe very
strongly in protecting the privacy rights of our users and non-users alike.”
There’s also the language problem. Not all French Internet users                      Sponsor
master English. It is not easy for them to clearly understand nei-                                                                                Sponsoree
ther how the service works nor its potential risks.
How about if we now loose ourselves to paranoia, what are the
potential dangers?                                                                                     Figure 3: Potential risk of personal data being sniffed by a spammer.

 •     The company’s commitments are not held – which we can-
       not imagine                                                                                    The dialog between Plaxo’s plug-in and the central server is
                                                                                                      sent using HTTPS. This encryption avoids data being snif-
 •     Spammers gain access to the database one way or another. It                                    fed by middlemen. However, when a sponsor decides to
       is difficult to not think about Microsoft’s Passport9 recent                                   launch an update of his “unconverted” contacts, emails are
       security flaw. Without doubt, Plaxo’s base must constitute a                                   sent using regular SMTP (unencrypted). A spammer or a
       premium target for spammers all over the world. The                                            hacker could listen to this dialog – the closer to Plaxo’s
       “freshness” of the addresses must be particularly attractive.                                  server, the better – and recover all the personal data being
                                                                                                      transmitted. We interviewed one user who felt his data was
 ◦     An unhappy employee quits the company with a copy of the
                                                                                                      safe: “communications between my computer and Plaxo are sent using
       file. Security experts agree on this scenario to be a common
                                                                                                      SSL.” It should be noted that arrows on figure 3 represent
                                                                                                      the logical flow of information between sender and recipient
 ◦     Spammers order hackers de break into the system. After                                         and hide the actual physical path of the data (where interme-
       SoBig10, a new reason to fear collaboration between the two                                    diate servers are involved). Theoretically all exchanges could
       communities?                                                                                   be encrypted. However, very few servers implement encryp-
                                                                                                      tion (TLS).
 ◦     A spammer is able to sniff Plaxo’s links to the Internet –
       although the transfers of users’ address books to Plaxo are                             •      What will happen in the event of bankruptcy or sale of the
       secure, update e-mails are sent without any encryption, as                                     company? Will data privacy engagements be held? Even in
       described on figure 3.                                                                         France, where the transfer of personal information data is
                                                                                                      only permitted with the users’ consent, many abusive cases
                                                                                                      have been observed. Plaxo’s web site states: “If Plaxo is
                                                                                                      sold, acquired or dissolved, we will notify you about this
                                                                                                      transaction. We will do our best to make sure that any com-
                                                                                                      pany who acquires us or purchases our assets will treat your
                                                                                                      information in the same manner that we do, but we would
                                                                                                      not control those companies and therefore cannot make any
                                                                                                      binding commitments on their behalf.” Danah Boyd, a Ber-
                                                                                                      kley Ph.D. student, states in her thesis “Data Identity Mana-
                                                                                                      gement11” a similar case when Google acquired the Deja
                                                                                                      Usenet archives. Many users reacted to the valorisation of
                                                                                                      their intellectual property. Google agreed to remove any
                                                                                                      entry upon demand from the submitter…except in case the
                                                                                                      submission had been incorporated into someone else’s reply!

                                                       Frederic Aoun & Bruno Rasle (
Page 4

       •     More troubling, imagine the following scenario: It’s the year
             2004 and Plaxo’s base has reached 150 million contacts… A
             spammer buys a file containing one million unqualified                                                      jean
             contacts, consisting only of email addresses, with no other
             data. He becomes a Plaxo user (under several usernames)
             and asks the system to update his file, presented under the                                                                                    marie
             form of harmless Outlook contact files. Very shortly, the
             spammer will have retrieved a personal-information-
             enriched file with: name, telephone numbers, physical ad-
             dresses… All this, without users even knowing! This proce-
             dure is already possible since the system will automatically
             reply (by default) to any update request for a contact that is a                                     john
             Plaxo user (the “allow people who know my e-mail address
             to lookup this information” checkbox is checked by default                                                                           mitsuko
                                                                                                                           ana maria
             – see figure 4).
                                                                                               Figure 5: Potentially Plaxo may be able to collect data that could allow obtaining:
                                                                                                                              direction and frequency of exchange between users.

                                                                                            contractor of the Army. The data manipulation was to allow identifying
                                                                                            “abnormal events or activities that may include rebel actions before
                                                                                            damaging events occur”. Lee Tien of the Electronic Frontier Founda-
                                                                                            tion14 declared: “We should put the brakes on all these data-mining programs,
                                                                                            and have a serious national conversation, because travel data is just one example of
                                                                                            the many kinds of data every data-mining operation wants to suck in from private
                                                                                            The ability to cross correlate entries and be able to reconstruct someo-
                                                                                            ne’s online personae with several e-mail addresses can also be imagined.
                                                                                            These aliases are often used in order to manage online identities users
                                                                                            present to be able to keep certain anonymity. Plaxo’s reply to this parti-
                                                                                            cular point is quite explicit: “We do not attempt to cross-check the
                                                                                            accuracy of the data in our users’ address books, e.g., there might be
Figure 4: By default the system authorizes automatic update of contact information.         thousands of entries that refer to John Smith, but no way to determine
The “Public Cards” help window opens by clicking on the “What’s this” link,                 whether these entries refer to the same person”
explaining the implications of this option.                                                 John Robb, ex Forrester Research senior analyst, believes Plaxo may be
                                                                                            preparing to launch an antispam offer15: “After a little thinking, I suspect the
       •     Phishing scams can also be feared. It is quite easy to imagine                 way that they will make money on this is by offering spam filters for $$. These
             a message which looks like a legitimate Plaxo update mes-                      filters would block all incoming e-mail that isn't in an address book. Since the
             sage, with a copy of the logo… This type of frauds has been                    majority of e-mail traffic is with people in your address book your e-mail would be
             on the rise during the last several months12.                                  spam free. Those people that send you e-mail that aren't in the address book, would
                                                                                            be automatically sent an e-mail that asks them to enter in contact information (when
       •     Besides these spam-related subjects, it is difficult not to
                                                                                            they do, the original e-mail would be delivered). Of course, the spammers won't do
             wonder about potential relational network information that
                                                                                            that and therefore will be automatically excluded.”
             could be data-mined from the database – industrial espio-
             nage? The mere notice of repeated entries of a client coveted                  Are French users aware of the way Plaxo works, and of all its potential
             by an American company in a European corporation’s ad-                         risks? For some of them language is definitely an obstacle. After asking
             dress books may represent valuable information… One can                        users whether they had really acknowledged the system’s operating
             also imagine a sales representative of a French company who                    mode when they downloaded the application, we often received the
             decides to use the system and selects to update not only his                   same answer: “Not really, I read the contract quite fast. Everything is English,
             personal address book, but also the company’s shared ad-                       and I do not speak it very well.”
             dress books. The entire client/prospect list is then transfer-
                                                                                            Can Plaxo e-mails be seen as spam by spam filters? We have seen that
             red outside the company!
                                                                                            under a legal point of view such cannot be the case. Furthermore, Plaxo
Figure 5 shows information that could be potentially gathered by the                        proactively restrains users from abusing the system by limiting the fre-
system: frequency and direction of exchanges between users. Intelli-                        quency of updates. But spam filters do not rely on the same criteria. In
gence agencies all over the world must be interested for this type of                       order to avoid been blacklisted and to increase the confidence of spon-
information… Wired News13 recently revealed deviant use of passenger                        sorees, Plaxo’s update requests are made to seem to emanate from the
data. The information had been gathered by JetBlue and used by a sub-                       sponsor’s computer. Whenever a sponsor decides to request an update

                                                            Frederic Aoun & Bruno Rasle (
                                                                                                                                                                                              Page 5

from within Plaxo’s Outlook plug-in, he or she selects the contacts he                                                and others).”
wishes to update and launches the procedure. What follows is an
                                                                                                                      Plaxo’s FAQ indicates that if someone wishes his personal information
HTTPS dialog between the users PC and Plaxo’s servers. Next update
                                                                                                                      to be removed from the system he should ask the respective Plaxo user
e-mails are sent (using SMTP) from Plaxo’s infrastructures towards the
                                                                                                                      to delete the entry (the company refuses to modify any contact informa-
sponsorees. Headers from one such message are presented on figure 6.
                                                                                                                      tion from users’ databases). Plaxo also offers to make that request to
X-From_: Mon Sep   8 12:21:03 2003
                                                                                                                      the user on his behalf.
Return-Path: <>

Received: from ( [])                                                           Plaxo may also automatically reply to any update requests on behalf of
      by with SMTP id h88AM26X010721
                                                                                                                      persons wishing to opt-out16 from having their data on the system. Any
      for <filleul@son-domaine.c0m>; Mon, 8 Sep 2003 12:21:02 +0200
                                                                                                                      further update requests are automatically replied to. Of course, in order
Received: (qmail 538 invoked from network); 8 Sep 2003 10:21:23 -0000

Received: from unknown (
                                                                                                                      to do this, one needs to create a special account and provide…one’s e-
 by with QMQP; 8 Sep 2003 10:22:23 -0000
                                                                                                                      mail address.
Received: from by; 8 Sep 2003 10:21:53 -0000

Message-ID: <>
                                                                                                                      What advice can be given to a French Internet user who receives an
Date: 8 Sep 2003 10:21:22 -0000
                                                                                                                      update request from a relationship? Maybe a reply among the lines of:
From: "Parrain" <parrain@un-domaine.c0m>                                                                              “You are a Plaxo Contacts user. Have you thoroughly understood its
To: "filleul" < filleul@son-domaine.c0m>                                                                              operating mode? You have communicated my personal information
Reply-to: "Plaxo Contact Update for Parrain" <>
                                                                                                                      without my consent to a foreign private company. This violates several
Precedence: bulk
                                                                                                                      articles of the 1978 law “Informatique et Libertés”. Please take the
Subject: Any changes to your contact info?

MIME-Version: 1.0
                                                                                                                      necessary steps to remove all my personal data from their system.
Content-Type: multipart/mixed;
                                                                                                                      Please forward me an acknowledgement proving this.” This request
boundary="------------C0302C3E1ADE2168BC4F49CB"                                                                       should be directly sent to the sponsor without using the “reply-to”
                                                                                                                      function which would send the reply back to Plaxo.
Figure 6: No e-mail is actually sent via SMTP from the sponsor’s computer.
                                                                                                                      Launched in March 2003, Friendster17 responds to a different need:
The headers tell that the message was sent from a computer with IP                                                    extending one’s social relations. With a peer to peer model, this applica-
                                                                                                                      tion allows to create a contact with “my friends’ friends”. In this case
address (which corresponds to the sponsor’s address)
toward a server belonging to Plaxo. Next the message is relayed to the                                                no software needs to be installed on users’ computers. Users create
                                                                                                                      their profiles on Friendster’s web site. He or she may fill the informa-
sponsoree’s server ( This tale does not reflect the
reality. Although it may seem there was an initial SMTP connection                                                    tion fields with real or made-up information (see figure7).
between the sponsor’s PC and Plaxo’s infrastructure, we have seen that
this exchange is performed under HTTPS using a proprietary protocol.
“The emails are sent from our servers at the moment, though we may
change that in the future” was Plaxo’s reply to our question on this
In spite of all these precautions Plaxo’s update request must be regularly
blocked by filters. The company has added a related answer to its FAQ.
Plaxo also says to regularly test its mails against antispam filters in order
to avoid being blocked… They also say to be in permanent contact with
ISPs in order to make sure the messages get delivered.
What type of personal data is collected? By default Plaxo handles the
“professional” fields present on VCards. The company avoids collecting
“meetings” and “notes” fields for security reasons. It is quite troubling
that a system that pledges to be secure, avoids collecting certain types of
data for… security reasons. But users may select to allow “personal”
fields of VCards. Home addresses, home phone numbers and cellular
phone numbers are then collected…
But can one really prevent his personal data being communicated
to Plaxo-likes, most of the time by close relationships? What kind
actions can be taken? The closest relationship circle, made up of family
and close friends can certainly be informed (in a humane and friendly
way) that we do not wish our personal data being communicated to
third parties under any circumstances. Many of us have done similarly
regarding the desire not to receive chain letters or jokes. For the exten-
ded circle (casual friends and work acquaintances), it is almost impossi-
ble. A disclaimer after of the e-mail signature may have some effect:
“Please take care not to communicate my personal information – including my e-                                                                               Figure 7: Friendster’s user profile fields
mail address – to third parties without my authorization. This remark is also valid
regarding applications that perform automatic updates of address books (e.g. Plaxo

                                                                                      Frederic Aoun & Bruno Rasle (
Page 6

Upon this first step, new users need to find at least one known user and             Danah Boyd, researcher at Berkeley, currently conducts a study on
ask him to “become his friend”. The two will then be able to browse                  Friendster and other tools that allow weaving relationships. She is parti-
through each others friends’ profiles. We tested this service. By associa-           cularly interested in understanding how users manage their social facets
ting to two direct friends (in the first degree) we gained immediate ac-             online. Her site19 presents a survey where Friendster users can partici-
cess to a network of more that 2,900 potential “friends” (up to the                  pate.
fourth degree, see figure 8)!
                                                                                                           In France, the online dating sector is very popular
                                                                                                           with sites such as NetClub, TurboDating or Mee-
                                                                                                           tic. All of them are currently free of charge and
                                                                                                           have a business model based on online advertise-
                                                                                                           ment. Only has decided to rent its
                                                                                                           users’ information to direct marketers.
                                                                                                           The concept of French Startup iPropi20 is directly
                                                                                                           based on the theory of “six degrees of separation”
                                                                                                           applied to a common daily life problem: “If my
                                                                                                           friends cannot help me, the friends of my friends
                                                                                                           may be able to help, and their friends will for
                                                                                                             Stanley Milgram21 was a Yale social science resear-
                                                                                                             cher. He stated the theory on the six degrees of
                                                                                                             separation22 in 1967. According to Milgram, any
                                                                                                             US citizen could be in contact with any other US
Figure 8: Friendster’s user interface.                                                                       citizen through 6 other citizens at most. He empi-
                                                                                     rically verified his theory using the postal service. He asked a few Oma-
At this point users may perform searches by using different criteria                 ha (Nebraska) residents to send a letter to an unknown person living in
(interests, sex, age, etc.) or simply navigate through associated friends’           Boston (Massachusetts), only identified by his name, profession and
profiles. In order to establish a direct (first degree) relationship with a          geographical region. Subjects were asked to send the letter to people
friend’s friend, a message can be sent via the user interface. Friendster            they knew who could possibly reach this person either directly or indi-
has numerous points in common with Plaxo such as the notion of rela-                 rectly through their relationships. On average five to seven “middle-
tional networks. The system seems to have been well thought out in                   men” were necessary in order to deliver the letter.
order to limit potential abuses. For instance e-mail addresses of users
                                                                                     This empirical test has been eagerly debated over the years, with criti-
are not available online. Any messages exchanged between users are
done so internally, and not through SMTP (without ever knowing the                   cism focusing mainly on the choice of the user panel. Recently, two
                                                                                     concurrent studies23 have sought to validate Milgram’s idea on a larger
recipients e-mail address). Finally, it is impossible to broadcast messages
to several users simultaneously. The service says to have over one mil-              scale by using e-mail: The Electronic Small Word Project24, conducted
                                                                                     by Ohio State University sociology professor James Moody, and The
lion members with more than 500,000 new subscribers just for June
2003. The user base growth is announced to be of 20% per week18.                     Small Word Research Project, conducted by a team of sociologists lead
                                                                                     by Peter Sheridan Dodds25 from Columbia University.
Friendster’s base represents without any doubt a target for spammers.
                                                                                     Fabrice Cavaretta, CEO of iPropi came up with the idea of a small ads
Not only does it conceal millions of e-mail addresses, but it also
contains profiling information which may be extremely valuable to                    site based on the principle of friend to friend e-mail propagation.
                                                                                     “Propagators” are reward prizes for helping the advertising user (who
sophisticated spammers. Unlike Plaxo, it is difficult to imagine users
inviting their entire list of contacts to join the system. The perimeter of          published the small ad) find what he was looking for. This rewarded is
                                                                                     paid for by the advertising user. So far the service is free of charge but
sponsorship seems limited to close acquaintances. As in the case of
most sponsorship-based schemes, the system allows to send invitation                 the business model is inspired on eBay’s. Fabrice Cavarretta revealed on
                                                                                     an interview26 that the virality threshold level had not been yet reached.
emails to sponsorees. One can legitimately wonder about the destiny of
all the submitted sponsoree addresses (including the ones belonging to               iPropi’s economic model seems clear and healthy. There is no language
people who do not become users)? As in Plaxo’s case, Friendster adver-               barrier (for French users), however, users should take time in order to
tises a strong antispam policy and says to never resell personal data to             thoroughly read the contract and help pages. The system limits potential
third parties: “The friend may contact Friendster to request removal of              abusive usage, for example by restricting the amount of messages that
this information form our database.”                                                 may be sent. The company also reserves the right to terminate any ac-
                                                                                     count if the system is misused. Nonetheless we have identified three
Friendster’s service is currently free of charge. However the company
                                                                                     points which may be improved: while the antispam policy information
has announced that in the future some of its features will be available
                                                                                     page commits to “never sell user’s personal information”, the online
for a fee. Several competing offers have recently appeared, including
                                                                                     contract indicates that “iPropi may be authorized to disclose personal
some in France. Perhaps a proof of its success, Friendster has even got
a parody site, Some competitors have sought the niche                 information to third parties.” A user whishing to have his information
                                                                                     erased from the system is asked to send a letter to iPropi, while a simple
of professional contacts networks (among them:, ecademy,
linkedin,                                                    click is enough to accept the legal contract and begin using the system.

                                                     Frederic Aoun & Bruno Rasle (
                                                                                                                                                                     Page 7

Finally, the online contract states: “iPropi cannot be held responsible             mission is to “build users' trust and confidence on the Internet and, in
for damages resulting from the loss, the alteration or fraudulent access            doing so, accelerate growth of the Internet industry”… But after a clo-
to personal data…” The French “Informatique et Libertés” law is very                ser look it appears that TRUSTe’s coverage is limited to data collected
clear on these issues: the person in charge of a personal information file          only on Plaxo’s site, and doest not cover data collected through the
must take appropriate action to protect it – this protection should be in           Outlook plug-in. Mr Carlos Gil, compliance Analyst at TRUSTe
accordance to the sensitivity of the data that is stored. We contacted              confirms this point: “TRUSTe currently only reviews and covers the data collec-
Fabrice Cavarretta regarding these points. He promised to analyze them              tion and use practices on TRUSTe certified websites and does not review/cover
and carry out appropriate modifications.                                            downloadable software. For technical reasons TRUSTe does not deal with issues
                                                                                    related towards downloadable software. Our Account Managers are able to walk
Two new French services are following on iPropi’s lead: Friendset and
                                                                                    through websites and review them finding pages that collect PII and ascertain the uses
NetFriends. Their respective CEO’s did not want to comment on their
                                                                                    of consumers PII to help licensees write their privacy policies. Our Account Mana-
economic model upon launch27. Friendset terms and conditions reveal
                                                                                    gers are not programmers and cannot fully understand every downloadable program
the following note: “We may send our members promotional offers
                                                                                    in a way to accurately help write a privacy policy for our licensees. That is why if one
from third parties. Should a member not want to receive such offers
                                                                                    of our licensees offers software, TRUSTe has them place a disclaimer for consumers
[…] he or she may opt-out when subscribing to the service or at any
                                                                                    stating that TRUSTe only covers the information collected on the Web site.”
other time by using the user interface, by sending an e-mail to priva- or through regular mail.” Once the new “loi pour la                 When we began studying Plaxo, we were intrigued by the fact that seve-
confiance dans l’économie numérique” law is voted, op-out28 will be                 ral sponsorees received update requests from people who knew almost
replaced by opt-in29. The entire user database will then need to be re-             nothing about them, besides their e-mail address. After downloading
qualified.                                                                          the application we discovered an uncommented function (see figure 9)
                                                                                    which allows extending the number of contacts beyond one’s address
Databases represent a real asset to these companies. In August 2003,
                                                                                    book to anyone with whom you have exchanged an e-mail. Does this
Harvard Business School professor John Deighton raised a polemic
                                                                                    function explain such update requests?
question: “if our personal information is so valuable
to enterprises, why shouldn’t we be the first to profit?”
His “Market Solutions to Privacy Problems”
study suggests compensations such as pre-
mium offers or specific services for consu-
mers. He adds, “The solution is to create institutions
that allow consumers to build and claim the value of
their marketplace identities, and that give producers the
incentive to respect them.” 30
The ideas behind these new services do res-
pond to actual needs. What is to blame is that they are often applied                    Figure 9: Plaxo’s plug-in has the ability to collect the e-mail addresses of episodic
without enough care for cultural differences and local legal constraints –                                     correspondents – they are classified per exchange frequency.
in our case France’s. Furthermore, some of these initiatives may seem a
                                                                                    Ideally such services should allow users who do not want to use the
little clumsy under the current spam crisis, even when the companies
                                                                                    system anymore to be able to delete their entire records with a simple
behind these services say to be well aware of the problem.
                                                                                    operation. We hardly see any of these companies implementing such
Coming back to Plaxo’s example, our advice to potential users is to                 functions without being forced to do it (will this be a role to be played
thoroughly understand its mode of operation. Users should be careful                by future labels?).
of default options such as the “allow people who know my e-mail ad-
                                                                                    Users should weigh the benefits against the risks involved. Cases
dress to lookup this information” checkbox which permits someone
                                                                                    where users are asked to trade-in sponsorees’ data in order to gain
who only knows your e-mail address to collect all one’s information
                                                                                    benefits are far more delicate. All this is done without taking into
without one even knowing it.
                                                                                    account the “Informatique et Libertés” law. One user who responded
The service could probably be more trustworthy if it would only store a             to our interview declared: “the people’s data in my address books belongs to me.
fingerprint of each contact’s information – and not the actual data. This           According to the CNIL, name, surname, and e-mail address cannot be considered as
fingerprint could be obtained by using a one way hash function and                  nominative data”… This is completely false. Another respondent said to
would allow detecting any changes in a contact’s information while                  be “aware that Plaxo collects addresses, but honestly, looking at where we are to-
rendering the data unusable to spammers (and other deviant uses). This              day”, he prefered his “address to be used by them rather than by a spammer who
system could rely on a true peer to peer network for the exchange of                will be sending hundreds of e-mails without one being able to say stop.” The point
the actual private information, without passing through a central server.           here is that it is not the user’s address but his contact’s that are being
Thus data would be directly sent between users.                                     communicated without their approval. Another user entrusted us: “I
                                                                                    guess the base will be used. After all it’s a free service. There must be compensa-
Would a label help improving trust? The new 95/46/CE31 European
                                                                                    tion”… There seems to be some sort of connivance on behalf of
directive law project would give the CNIL and other European privacy
                                                                                    “converted” users. These new “social applications” put the spotlight on
authorities the prerogative to award labels to services that comply with            the importance of human behaviour in order to prevent spam. Users
a certain level of data protection32. However, the reach of these certifi-
                                                                                    should at least understand thoroughly how these services function and
cations is yet to be defined. Would label holders be subject, for exam-             take appropriate time in order to master them (for example, for Plaxo,
ple, to regular intrusion tests in order to verify proper data safeguard?
                                                                                    users should understand the impact of the “allow users who know my
Plaxo’s site displays TRUSTe’s33 logo. This non-profit organisation’s

                                                    Frederic Aoun & Bruno Rasle (
Page 8

e-mail address to look up this information” checkbox).                                        References:
As for enterprises wanting to control the use of this type of applica-
tions, we can make a few suggestions. Education is of course the first
step. Access (at the gateway level) can be also restricted so that these                      2,1282,56322,00.html “Napster Co-
services cannot be reached. In a recent article34, lawyer Isabelle Renard,                    Founder's New Venture” by Xeni Jardin. Wired News –November 12 2002
reminded French companies their obligation to secure information
assets. A sales representative who divulges the enterprise’s address
                                                                                               « An experimental Study of Search in Global Social Networks » by Peter Sheri-
books may be liable to the potential prejudice that shareholders may                          dan Dodds, Roby Muhamad et Duncan J. Watts. Institute for Social and Eco-
suffer.                                                                                       nomic Research and Policy, Colombia University. August 8 2003
Jean-Michel Yolin, president of Enterprise Innovation Section at the French                   4

ministry for economy and finance and antispam devotee tags the appli-
cation as a worm-hoax: “trust me your address book… I’ll update it for you!
                                                                                              page=1 “Banking on its customer base, Plaxo raises $8.5 million more” par Sarah
This allows to build a gigantic data file with the possibility of mapping social net-
                                                                                              Lacy. Business Journal – August 4 2003
works.” Mr Yolin regrets every time one of his acquaintances “gets trapped
by such rubbish.”
Danah Boyd adds “Even if data is being collected with the best of intentions,
                                                                                              7 « La Cnil s'oppose au détourne-
aggregation of data becomes valuable, quickly. As such, it's acquisition may be
against the will of the aggregator. In 1930 the Netherlands decided to collect citizen’s      ment d'informations vers les Etats-Unis » by Philippe Crouzillacq. 01net, Octo-
                                                                                              ber 2 2003
religious faith in order to provide proper burials. Good intentions accidentally allowed
the Nazis to easily execute thousands of Jews 10 years later35.” Without going to             8 23rd   CNIL activity report (year 2002)
such extremes, troubling connections have lately been made public.
Sean Parker was recently appointed a chair at Friendster’s advisory                           9 « Nouvelle faille dans Passport (ID de
board36, he is also Plaxo’s CEO… Would a merger make sense? Will we                           Microsoft) » d’Olivier Chicheportiche . May 11 2003
see users using both applications in order to try to make a profit from
their address books? Are we on the brink of seen the first self-made
men thanks to the prices collected using Ipropi which they would have                         « SoBig : attaque mondiale prévue à 21 heures » par Christophe Lagane.
                                                                                     le August 22 2003
valued with an always up-to-date address book thanks to Plaxo, in turn
made ever larger thanks to Friendster? Not counting cumulated points                          11 “Faceted Id/entity: Manag-

for all the sponsorships... Journalist Bruno Le Marcis recently titled one                    ing representation in a digital world”. Danah Boyd, MIT Media Lab
of his articles in French journal Le Figaro “How about if your address                        12
book brought you some revenues?”…                                                             Newscso_view « Vol d'identité, le successeur du Spam ?» by Marc Olanié.
                                                                                              Réseaux et Télécoms. July 24 2003

                                                                                              13,1294,60540,00.html « Army admits

                                                                                              using JetBlue data » by Ryan Singel. Wired News. September 23 2003

                                                                                              14 Electronic Frontier’s Foundation Web site

                                                                                              15 John Robb’s Weblog

                                                                                              16 Here the term refers to a message sent without prior consent from the recipi-



                                                                                              18 « Rencontres
“- Lottery?” “- Nope, address book!”                                                          d’un nouveau type sur Friendster » par la rédaction. Journal du Net – July 22




                                                                                               « An experimental Study of Search in Global Social Networks » by Peter Sheri-
                                                                                              dan Dodds, Roby Muhamad et Duncan J. Watts. Institute for Social and Eco-
                                                                                              nomic Research and Policy, Colombia University. August 8 2003

                                                                                              23 « Courrier électronique : qui communique avec qui ? » de Chantal Dussuel. Le

                                                                                     February 13 2003.

                                                              Frederic Aoun & Bruno Rasle (
                                                                                                                 Page 9



26 « Ipropi sur le long

chemin de la viralité » by Raphaële Karayan. Journal du Net – August 6 2003.

27 « Les pre-

miers pas du networking social à la française » by Raphaële Karayan. Journal du
Net. October 13 2003

28 Opt-out here is used to caracterize the data collection method. Checkboxes are

usually checked by default. Whereas under an opt-in scheme check boxes are

29 Data collection with prior consent from the consumer as set forth in Seth

Godin’s “Permission Marketing”.


id=3636&t=notebook « Should you sell your digital identity ? » by Sean Silver-
thorne. HBS Working Knowledge. August 25 2003

31 « Textes de référence »

32 « La CNIL

passe aux sanctions » by Jérôme Martin, Avocat à la Cour. Cabinet Salans. Jour-
nal du Net. September 16 2003



«Administrateurs systèmes et cybersurveillance : entre le marteau et l'enclume »
by Isabelle Renard (cabinet August & Debouzy). Journal du Net. September 10

35 Information verified with the Nederlands Instituut voor Oorlogsdocumenta-

tie, in Amsterdam : « There is no question that the extensive pre-war population
registers in the Netherlands played a significant role in the history of the Holo-
caust. There had been a census in 1930 in wich, under the category « religion »,
almost 112.000 persons had registered as « Jews ». Innocent in peacetime…the
registers were used by the Nazis to compile and to check lists for arrests and

36 « Frienster : A little cash goes

a long way ? » by Paul Festa. Cnet – September 2003

For any further information, comments or criticisms please contact us at: The book “Halte au Spam” is presented at

                                                           Frederic Aoun & Bruno Rasle (

Shared By: