Aral Balkan: Historical Archive — Spokeo? More like Spooky-o; bad practice taken to the extreme.

Spokeo? More like Spooky-o; bad practice taken to the extreme.

Spokeo is a web application that lets you find and track your friends. To join, you "sign up using your aol, gmail, hotmail or yahoo account." That's right. Scared yet? You should be!

At the various Social Network Portability meetings I've been attending recently, we've been discussing the dangers posed by sites that ask you for your Gmail (Yahoo, etc.) email address and password to find your friends.

When you give over your webmail address and password to a site, you are giving it the authority to act as you. As far as Gmail is concerned, there is no difference between the site you just gave your login details to and yourself. You have no control over what the site can access; it can access anything and do anything, just like you can.

Would you give this information to a total stranger? If not, why do you give it to a random web application?

Even if you trust the company that you give the information to, do you trust everyone who works at that company who might have access to that data?

How do you trust the application when it tells you that the data is not stored if you cannot see the source code yourself? Even if you can see the source code, how do you know that that is the same code that is running on their servers?

In short, the only person that should be logging into your email account as you, is you.

Usually, sites that implement this anti-pattern ask you for your webmail address and password only when you want to import your friends. Respectable sites don't store these details; instead, they go in, get your list of friends and (hopefully) forget your information.

Today, however, I found a site called Spokeo that goes one step further. Spokeo asks you to sign up to their system using your Gmail, Yahoo, AOL or Hotmail account.

Think about that for a moment.

Spokeo wants you to register for its service using your web mail username and password.

Spokeo stores and keeps your web mail username and password.

That means that Spokeo can log in to your email account, as you, anytime it likes and do whatever you can do. As far as your email provider is concerned there is no difference between you and Spokeo.

It also means that if Spokeo is hacked, or a less-than-honorable employee accesses this data, your webmail access details are compromised.

This is a horrible practice and I strongly urge you not to support it.

If anyone from Spokeo is reading this, I hope you will abandon this sign-up process and use mechanisms like oAuth to safely access data that you have limited, revocable permission to access; do not masquerade as your users, put your users at risk, and teach them dangerous practices.

Update: On their about page, they list Guy Kawasaki as "Our Famous Advisor".

I don't know if and how Guy is actually involved in this venture or whether he knows about this sign-up process but I can only assume that he would not like to be associated with it following this post or that he might possibly advise them to change their methods once he hears about it.

Comments

Thanks Aral for this post. I've received the "courtesy" email as well, saying that someone has Spookeoed me and that I should sign up to learn more. I'll assume this is Spokeo's growth strategy. It's completely off the mark and has the opposite effect of a good viral, Word of Mouth strategy. With WoM, users sign up to a new site because it was recommended by a person of trust. With Spooky, there's no way in hell I'll sign up because someone who's obviously untrustworthy is using it.
by seth on 2008-03-20 22:16:38
A bunch of other people agree with your post and comments: http://blog.randulo.com/ Bad viral idea, bad! I second the wisdom given above, DO NOT EVER do this. Think about all the spam you receive. Much of it is thanks to your friends and contacts whose address books have been compromised by spammers. Unfortunately this is often a result of simple bad practice like sending 100 people including you email CC'ed instead of BCC'ed. SO anyone on the list whose PC is droned has now contributed your email to the spam db. Web 2.0 companies should not use OPT-OUT mailings ever. It's lame, obnoxious and went out with old school of spam.
by concerned on 2008-03-21 13:08:21
Reminds me of the spamming of Quechup - not quite the same, but somewhat similar. A simple google search on 'quechup' brings up loads of posts about it.
by Rosie Sherry on 2008-03-18 10:20:47
I found this thread because I just today received a "courtesy" notice from Spokeo telling me people had looked at my profile in Digg and StumbleUpon and suggesting I join Spokeo. At the end, "This is a one-time courtesy notification about your online privacy. If you wish to opt out of all future emails, click here." First of all, I don't deal with companies that spam regardless of what they do. This is opt out, aka SPAM. Second, it is indeed spooky, unless they just made it up randomly, as in "you have just won the lottery", except that they had my username on both sites. They recommend that if I don't want to be contacted, I should change my security settings on the sites in question.
by concerned on 2008-03-20 18:12:06
I just got an unsolicited email from Spooky-o. It totally creeped me out. Listed all my accounts on various services and my login name. It made me hate it and actually take the time to google it and found this thread. This is my #1 vote for cringe-inducing site of the year. what a stupid idea. All I am going to do is go to each of the services they listed and try to figure out how they got my user name AND email Then I'm going to write a nastygram if appropriate to the service.
by janice on 2008-03-23 23:01:17
Right under the sign-up button, we have a prominent link pointing to the standard sign-up process that includes email verification and such. You don't need to give us any sensitive information in order to use any of Spokeo's functionalities. That said, users have to understand how to deal with CSV files (which surprisingly, a lot of people still don't) in order to take full advantage of the Spokeo system. This is why we modeled our design after any other social network out there. Please try signing up on any of the major social networks, and you should see the same screen.
by Harrison on 2008-03-17 19:59:30
Yeah that is really awful. I'm not that surprised though, have you guys checked out what the 'Spokeo' service offers? Instant unfettered access to a whole pile of data about your friends that they may not be too happy sharing. Yes the data is technically in the public domain but without hours of dedicated search you would be unlikely to find it. In fact unless you're into stalking your friends it's probably not the kind of data you would ever see. But thanks to Spokeo, one quick (and as Aral notes, thoroughly unsafe) login later, you have access to a ton of info about anyone who has ever gmailed you or chatted with you on GoogleTalk etc. Within 1 minute of checking out their service, I found out several things about people I know, which I have absolutely no doubt they would be uncomfortable with. In my view the whole Spokeo thing is one of the most unethical abuses of the network I've seen in years. I predict they are going to get a snowball effect of negative exposure as the collective penny drops and I hope they call it quits before they wreak too much damage. Like all personal spidering applications, it's stinky and it's just a really bad idea, poorly implemented and with little to no regard for any unintended effects on their 'users'.
by clark slater on 2008-03-17 21:16:56
Harrison: I've signed up for a couple of other social networks in my time and I can't seem to recall any that ask for your web mail login details to create an account. If you can list a couple, I'll happily add them to my post.
by Aral on 2008-03-17 20:09:31
That's disgraceful! And the website doesn't even seem to offer anything more exciting than an RSS reader offers, anyway. "Spokeo tracks your friends content, so you don't have to visit their websites one by one." Sounds like data harvesting to me, and, as Jeremy says, teaching users how to be phished.
by Paul Annett on 2008-03-17 20:04:29
Not that I'm totally impressed, but this is a lot more than I expected when I found a link on Furl telling that the info here is awesome. Thanks.
by How to Get Six Pack Fast on 2009-04-15 16:01:35
i have been at this for hours all day long,so i am extremely exhausted,but again i will take the time to write regarding spokeo inc..well first of all i wanted to see if i could find my self online lol,and used my personal email address when i did the search i could not believ my old picture 5-6 years ago was there,yeah a site i used to go,so anyways I thought this was interesting,so i signed up for 1 year and was able to check every email i ever used,and yeah i found so much stuff about me,that i forgot about,lol come on we all forget some times.so anyways continue to my story..I ended up finding when i bought things online,yep you guessed it dates and time,years ago,spooky,um yeah,well for me i wanted to contact the old sites i used to belong to,and get my picture of there site,so i contacted one company and they said you will receive an email address at... but never received it..so anyways due to computer issues,i accidently got logged out,and once i went to log back in.I was unable to,and i thought mm maybe i forgot my password,and so i clicked forgot my pass word and entered my e-mail addy that i signed up with,and guess what happened? you guessed it,it said invalid email..so i tryed contacting them,and when i emailed them they repled with some auto response,dont you want youwant to find your friends? and i also called them,and yeah it went right to voice mail after 5million rings,and then messege said voice mail box is full.what a racket,do not due business with this comapny, they are also on many websites that people got scammed by them.well if i helped at least one,well so be it..
by Jim on 2009-11-06 07:42:17
Oneother thing that people should know about Spokeo is that while it purports to be something like "plaxo" (or any of these other "keep track of your friends" sites - it;s real purpose is as an information broker that sells "credit estimates." to anyone, supposedly HR and LE as well.
by moxley on 2010-07-02 02:35:33
justin bieber was here...
by Justin Bieber on 2011-02-07 20:37:20