William Smith, a marketing specialist in Seattle, recently received what appeared to be an e-mail from his old friend Peter. The message said Peter had posted new pictures online and wanted Smith to see them.
To do that, Smith would have to join Tagged.com. He’d never heard of Tagged, but wanted to reconnect with Peter, so he signed up and provided the site with his e-mail address and the password.
“As soon as I clicked, it just invaded my address book,” Smith says. “It was a huge invasion of privacy.”
The site used that information to send e-mails — which looked like they came from Smith — to everyone in his address book, inviting them to join Tagged.
Within an hour, he started getting e-mail from friends and business acquaintances, some he barely knew, asking him what was going on.
“It was very scary at first, and then it was embarrassing,” Smith recalls.
He tells me this went on for more than a month.
“Then I got angry, very angry.”
A cycle of spam
What’s going on here?
You join a social networking site to stay in touch with old friends and make new ones. Some sites, including Tagged.com, request your e-mail address and password when you sign up . That gives the site direct access to your address book, allowing you the option to notify friends and family that you joined the site or added photos or other information.
Many users consider this "invite your friends" feature to be useful. Privacy experts tell me there is nothing wrong with this, as long as the member knows this service is available and has control over when it is used and who will be contacted.
Unhappy users say that was not the case with Tagged.com. When people signed up for membership, the site automatically snagged their address book and sent spam e-mails to all their contacts.
This spam looked like it was sent by a Tagged member who wanted to add the recipient as a friend or share photos. Those who fell for the pitch and signed up had their address lists raided, starting the cycle of spam all over again.
“It’s as if I’m entering your house and taking a list of your friends and their contact information and sending them a letter which looks like it’s from you,” says Debra Berlyn, director of the Consumer Privacy Awareness Project. “This is not the experience we want people to have online.”
New York Attorney General Andrew Cuomo accuses Tagged.com of engaging in “deceptive e-mail promotions, identity theft and invasion of privacy.” The AG’s office says between April and June of this year, Tagged spammed tens of millions of Americans with its misleading e-mails.
This month Cuomo filed a "notice of proposed litigation" against the company, although no lawsuit has yet been filed.
Tagged.com officials declined an interview request, but company CEO Greg Tseng did post several messages on the Tagged Web site dealing with the controversy. He called Cuomo’s accusations “inaccurate and inflammatory” and said the complaints were based on a new registration process that since has been discontinued.
This is not Tseng's first run-in with the law. Back in March of 2006, when he was CEO of Jumpstart Technologies, LLC, Tseng settled charges with the Federal Trade Commission that the Jumpstart Web site violated the Controlling the Assault of Non-Solicited Pornography And Marketing Act. The company agreed to pay a $900,000 civil penalty. According to the FTC's complaint, Jumpstart violated the law by disguising its commercial e-mails as personal messages, and by misleading consumers about the terms and conditions of the promotion.
“These defendants intentionally used personal messages as a cover-up for commercial messages," said Lydia Parnes, Director of the FTC's Bureau of Consumer Protection in a new release issued at that time. “Deceptive subject lines and headers not only violate the CAN-SPAM Act, but also consumer trust.”
Vincent Weafer, a vice president at Symantec Security Response, says the issue is “lack of notification and consent.”
“Many, many Tagged users had no idea that this was occurring, and that’s what generated many of the complaints," he says.
That’s because instead of making a clear up-front request for your address list like other social networking sites do, Tagged buried the information in the legalese of the site’s “terms of service” section, which most people never read.
Why would a presumably legitimate Web site behave this way?
“The immediate reason to do this is to build their user base,” says Rod Rasmussen, co-chair of the Anti-Phishing Working Group’s Internet policy committee. “In general, the larger the user base the more valuable your company is.”
New York plans to sue
And it worked. Mining e-mail address books this way made Tagged.com the nation's third-largest social networking site. The question is, how many of those “members” really want to belong to the site?
“This company stole the address books and identities of millions of people,” Cuomo said in a news release. “We would never accept this behavior in the real world, and we cannot accept it online.”
Tagged.com CEO Tseng acknowledges receiving more than 2,000 complaints last month from people who had unintentionally invited all their contacts to join Tagged.
In his message, Tseng insists Tagged did not access anyone’s personal address book without their consent or send e-mail without their permission.
How does he explain all the complaints?
“Simply put, it was too easy for people to quickly go through the registration process and unintentionally invite all their contacts,” Tseng writes. “We are truly sorry for any inconvenience or frustration that these people experienced.”
In his news release, Cuomo says by the time Tagged made the change, it had already sent more than 60 million “deceptive e-mails to consumers worldwide.”
How to protect yourself
It’s always risky to give a company access to your e-mail contacts. You’re basically trusting that the business will not abuse that privilege.
If a site is asking you for private information, it is best to back away until you understand what they’re looking for and why.
Weafer of Symantec suggests creating a dummy e-mail account to sign up. “That way you’re not going to have any contacts in there. It’s a dummy account solely for this purpose,” he says.
“Stop and think before you click and agree to something,” warns Berlyn with the Consumer Privacy Awareness Project. “A little bit of caution goes a long way.”