Spokeo? More like Spooky-o; bad practice taken to the extreme.

Spokeo sign up: bad, bad, bad!

Spokeo is a web application that lets you find and track your friends. To join, you "sign up using your aol, gmail, hotmail or yahoo account." That's right. Scared yet? You should be!

At the various Social Network Portability meetings I've been attending recently, we've been discussing the dangers posed by sites that ask you for your Gmail (Yahoo, etc.) email address and password to find your friends.

When you give over your webmail address and password to a site, you are giving it the authority to act as you. As far as Gmail is concerned, there is no difference between the site you just gave your login details to and yourself. You have no control over what the site can access; it can access anything and do anything, just like you can.

Would you give this information to a total stranger? If not, why do you give it to a random web application?

Even if you trust the company that you give the information to, do you trust everyone who works at that company who might have access to that data?

How do you trust the application when it tells you that the data is not stored if you cannot see the source code yourself? Even if you can see the source code, how do you know that that is the same code that is running on their servers?

In short, the only person that should be logging into your email account as you, is you.

Usually, sites that implement this anti-pattern ask you for your webmail address and password only when you want to import your friends. Respectable sites don't store these details; instead, they go in, get your list of friends and (hopefully) forget your information.

Today, however, I found a site called Spokeo that goes one step further. Spokeo asks you to sign up to their system using your Gmail, Yahoo, AOL or Hotmail account.

Think about that for a moment.

Spokeo wants you to register for its service using your web mail username and password.

Spokeo stores and keeps your web mail username and password.

That means that Spokeo can log in to your email account, as you, anytime it likes and do whatever you can do. As far as your email provider is concerned there is no difference between you and Spokeo.

It also means that if Spokeo is hacked, or a less-than-honorable employee accesses this data, your webmail access details are compromised.

This is a horrible practice and I strongly urge you not to support it.

If anyone from Spokeo is reading this, I hope you will abandon this sign-up process and use mechanisms like oAuth to safely access data that you have limited, revocable permission to access; do not masquerade as your users, put your users at risk, and teach them dangerous practices.

Update: On their about page, they list Guy Kawasaki as "Our Famous Advisor".

Spokeo guy Kawasaki

I don't know if and how Guy is actually involved in this venture or whether he knows about this sign-up process but I can only assume that he would not like to be associated with it following this post or that he might possibly advise them to change their methods once he hears about it.