Online Social Network Spam: Growing Trend?

Online social networks are one of the blessings of Web 2.0. Plenty of people use them to stay in touch with their friends, meet new people, make work-related connections and more. Unfortunately, it seems like you can’t have something good on the Internet without someone coming along to abuse it, and that’s as true of online social networks as anything.

I’m going to be using the term “social network spam” rather loosely here. Wikipedia defines it one way, but I’ve seen others talk about different phenomena that also deserve the term. First I’m going to cover my own varied experience with it, then branch out into other descriptions.

One of my earliest experiences with online social networking can’t really be called spam, for all that it was unexpected and unsolicited. A freelance writer who had submitted some articles occasionally to our company invited me to join LinkedIn. I did. It was a painless experience, but I haven’t really done much with it since. If I did more business networking, it would have been more useful to me. As it happens, I do expect to do more business networking over the next year, so I’m glad to have a place to start.

Sometime in the past month, I received an email from a friend inviting me to join Tagged.com. Like the LinkedIn invitation, this message appeared to have been automatically generated by the network; unlike the LinkedIn message (here I’m operating from memory), it looked as if it was sent directly from my friend’s email account. That meant no risk of triggering the spam filters. Also, it went to my personal rather than my work account; this made sense, since my friend had no reason to have my work email address in his online address book.

By this time I’d reviewed several social networking sites, and knew of the existence of more. I currently have accounts, or at least sign-ins, with Live Journal, Searchles, Zude, Yahoo 360, LinkedIn, Spock, Orkut, and probably a few about which I’ve utterly forgotten. I’ve heard of Fark, Digg, Reddit, Facebook, MySpace, del.icio.us, StumbleUpon, Powerset…I could name more, and I know how to Google for even more than that. The point is, I’d never heard of Tagged.com, and I thought that was a little unusual. So I decided to do a little investigating before clicking that link.

It was the work of a moment to Google Tagged.com. I learned from an eWeek article that Tagged has been “harvesting teenagers.” I apologize if I’m a little behind the times; the article dates to April 2007. Anyway, author Larry Seltzer reported getting about six emails from a friend of his inviting him to join Tagged.com, saying “Please respond or [friend’s name] will think you said no. :( .” Like the ones I received, these emails looked auto-generated. Like me, Seltzer passed up the invitation, but he did more research.

Seltzer found a blog entry from Symantec that explained how Tagged works. In part, it said that “…when a user signs up for Tagged, they’re practically forced to put in their Webmail credentials. Tagged then logs into your Webmail account as you, accesses your address book and prompts you to e-mail your contacts using your Webmail address as the reply-to.” Can you say “invasion of privacy”? I knew you could. Here I bow to Seltzer, because at this point he put in the work with multiple Gmail accounts to prove that Tagged actually did engage in this practice; I recommend reading the article to anyone who’s curious about the technology.

Seltzer went on to talk about Tagged’s Terms of Service, which are a little scary. Basically, they can share your email address and assorted other information – even your eye color, it says so right in the ToS – with third parties for marketing purposes. Users may opt out, but Tagged targets teenagers; how many of them are going to read the Terms of Service to find out how they can opt out of marketing? Tagged also specifically lies in its terms of service; it says that “Users have the option, within their Internet browsers, to disable cookies and continue to access the Tagged website." When Seltzer tried it, he found out that “If you disable cookies it won’t let you log in and says that you have to enable cookies.”

Needless to say, I didn’t sign up for Tagged.com. I don’t want to inconvenience my friends with invitations to try out new social networks. I definitely don’t want to see my friends involved in a social network that’s that grabby about personal information. What’s even worse is that the site doesn’t actually SAY they’re going to use your email to send out all these invitations to all your friends to join the network.

Now I’m sure you’ve received invitations from dating networks with dozens of gorgeous women who want to date you; I’ve received that spam myself. And certainly you’ve received spam messages where someone you’ve never heard of claims to be your friend and is inviting you to join some online social network you’ve never heard of; I’ve also received a few of those. But recently I received an offer that surprised me into writing this article in the first place.

It was from StumbleUpon. Since I’d heard of them, I assumed that they would be engaging in ethical practices. And it’s quite possible that they are. Their users, on the other hand, might not be. You see, I had never even heard of the person who sent me the invitation! And the auto-generated message did not include any kind of personal note explaining why he’d sent the invitation or introducing himself; just the auto-generated part about wanting to share favorites. He appeared to be real enough; I was able to confirm that via Google. But for the life of me I couldn’t remember him, or figure out where he knew me from that he would send me an invitation to join an online social network.

The invitation came to my work address; I sent an email directly to him in response, asking where he knew me from. My work email address isn’t hard to find or figure out. Anyway, I haven’t heard back from him. I did discover that one of the people he is a fan of is named seogurl. If that indicates an interest in SEO, he may know me through the articles I write. Still, it was more than a bit…disconcerting. Then again, maybe I’m being something of a stick in the mud about this. Heavens, hadn’t Emily Post or Miss Manners covered the proper etiquette for inviting someone to join your online social network?

No, I suppose not. When I Googled the phrase “social network spam” (without quotes), I received nearly 46 million hits. One interesting link led to a very recent post on LibraryThing’s blog, castigating Shelfari for doing basically the same thing as Tagged.com. Among other things, it quotes Jesse Wegman of the New York Observer as saying that Shelfari spammed “every single person with whom I have exchanged an e-mail in the past three years, in addition to every single person who has ever been on the same cc list as I have, regardless of whether we have ever met, in addition to every single listserv I have ever joined and every single Web site from which I have ever ordered anything.” Ouch! On top of that, the post includes links to 51 bloggers and journalists who are upset over Shelfari’s practices.

As I mentioned earlier Wikipedia defines social network spam a little differently from the way I’ve described it above. Social network spammers utilize a social network’s search tools to “target a certain demographic segment of users, and send notes to them from an account disguised as that of a real person. Such notes typically include embedded links to pornographic or other product sites designed to sell something. As of 2006, spamming software such as FriendBot is available to automate the process.”

Let’s change the context a little bit. Google recently unveiled its OpenSocial initiative. It will allow third party developers to build applications that can work with data from a wide variety of online social networks. By and large this is a good thing, but it’s easy to see how an unscrupulous developer might secretly turn one of these applications into an information harvester for himself. It could be something that happens in the background…and the user wouldn’t even realize that the information is being shared with someone else. What that someone else does with it could range from unwanted marketing to identity theft if the user wasn’t sufficiently careful.

Let’s also look at Facebook’s new advertising efforts in this light. The new initiative has three parts. The first part lets companies build their own pages on Facebook to connect with their target audience. The second part is a system through which the marketing message will be spread virally via Facebook Social Ads. The third part lets companies gather insight into the users’ activities on Facebook. The way the system works, however, is like this: when you “friend” a company or a product, your name and picture are used in an ad for that product. And this ad is sent to your friends. It hardly seems as if you’re consenting to this when you agree to “friend” the site – and the system might actually be illegal in New York.

Other activities that online social networks engage in raise all sorts of privacy issues. In a September blog entry, Ross Mayfield, co-founder of Socialtext, puts the problem plainly. “The fundamental privacy problem is that social networks grow virally by adding you to a graph without asking you to opt in. Once you are in the graph, it may be hard for you to know you are in, let alone opt out…You are modeled without your control over social context, and identity and relationship data can be layered on top of you as a node…Providers come in all stripes and you not only have to concern yourself with their ethical business practices, but the basic of security. Opening the graph to third party developers based on open standards is a laudable effort to solve one social graph problem. But the privacy concern of governance and oversight over those third party developers who have access to more data than users is uncharted.” It looks as if we’ll be traveling into a lot of uncharted territory in the months and years ahead.

Google+ Comments

Google+ Comments