Log Out

ConsumerMan: Guard your e-mail

Wed Jul 22, 2009 7:34 PM EDT
, , , , , , , , ,
msnbc.com NewsHerb Weisbaum, msnbc.com - Only on msnbc.com
Advertise | AdChoices

— William Smith, a marketing specialist in Seattle, recently received what appeared to be an e-mail from his old friend Peter. The message said Peter had posted new pictures online and wanted Smith to see them.

To do that, Smith would have to join Tagged.com. He’d never heard of Tagged, but wanted to reconnect with Peter, so he signed up and provided the site with his e-mail address and the password.

“As soon as I clicked, it just invaded my address book,” Smith says. “It was a huge invasion of privacy.”

The site used that information to send e-mails — which looked like they came from Smith — to everyone in his address book, inviting them to join Tagged.

Within an hour, he started getting e-mail from friends and business acquaintances, some he barely knew, asking him what was going on.

“It was very scary at first, and then it was embarrassing,” Smith recalls.

He tells me this went on for more than a month.

“Then I got angry, very angry.”

A cycle of spam
What’s going on here?

You join a social networking site to stay in touch with old friends and make new ones. Some sites, including Tagged.com, request your e-mail address and password when you sign up . That gives the site direct access to your address book, allowing you the option to notify friends and family that you joined the site or added photos or other information.

Many users consider this "invite your friends" feature to be useful. Privacy experts tell me there is nothing wrong with this, as long as the member knows this service is available and has control over when it is used and who will be contacted.

Unhappy users say that was not the case with Tagged.com. When people signed up for membership, the site automatically snagged their address book and sent spam e-mails to all their contacts.

This spam looked like it was sent by a Tagged member who wanted to add the recipient as a friend or share photos. Those who fell for the pitch and signed up had their address lists raided, starting the cycle of spam all over again.

“It’s as if I’m entering your house and taking a list of your friends and their contact information and sending them a letter which looks like it’s from you,” says Debra Berlyn, director of the Consumer Privacy Awareness Project. “This is not the experience we want people to have online.”

New York Attorney General Andrew Cuomo accuses Tagged.com of engaging in “deceptive e-mail promotions, identity theft and invasion of privacy.” The AG’s office says between April and June of this year, Tagged spammed tens of millions of Americans with its misleading e-mails.

This month Cuomo filed a "notice of proposed litigation" against the company, although no lawsuit has yet been filed.

Tagged.com officials declined an interview request, but company CEO Greg Tseng did post several messages on the Tagged Web site dealing with the controversy.  He called Cuomo’s accusations “inaccurate and inflammatory” and said the complaints were based on a new registration process that since has been discontinued.

This is not Tseng's first run-in with the law. Back in March of 2006, when he was CEO of Jumpstart Technologies, LLC, Tseng settled charges with the Federal Trade Commission that the Jumpstart Web site violated the Controlling the Assault of Non-Solicited Pornography And Marketing Act. The company agreed to pay a $900,000 civil penalty. According to the FTC's complaint, Jumpstart violated the law by disguising its commercial e-mails as personal messages, and by misleading consumers about the terms and conditions of the promotion.

“These defendants intentionally used personal messages as a cover-up for commercial messages," said Lydia Parnes, Director of the FTC's Bureau of Consumer Protection in a new release issued at that time. “Deceptive subject lines and headers not only violate the CAN-SPAM Act, but also consumer trust.”

Vincent Weafer, a vice president at Symantec Security Response, says the issue is “lack of notification and consent.”

“Many, many Tagged users had no idea that this was occurring, and that’s what generated many of the complaints," he says.

That’s because instead of making a clear up-front request for your address list like other social networking sites do, Tagged buried the information in the legalese of the site’s “terms of service” section, which most people never read.

Why would a presumably legitimate Web site behave this way?

“The immediate reason to do this is to build their user base,” says Rod Rasmussen, co-chair of the Anti-Phishing Working Group’s Internet policy committee. “In general, the larger the user base the more valuable your company is.”

New York plans to sue
And it worked. Mining e-mail address books this way made Tagged.com the nation's third-largest social networking site. The question is, how many of those “members” really want to belong to the site?

“This company stole the address books and identities of millions of people,” Cuomo said in a news release. “We would never accept this behavior in the real world, and we cannot accept it online.”

Tagged.com CEO Tseng acknowledges receiving more than 2,000 complaints last month from people who had unintentionally invited all their contacts to join Tagged.

In his message, Tseng insists Tagged did not access anyone’s personal address book without their consent or send e-mail without their permission.

How does he explain all the complaints?

“Simply put, it was too easy for people to quickly go through the registration process and unintentionally invite all their contacts,” Tseng writes. “We are truly sorry for any inconvenience or frustration that these people experienced.”

In his news release, Cuomo says by the time Tagged made the change, it had already sent more than 60 million “deceptive e-mails to consumers worldwide.”

How to protect yourself
It’s always risky to give a company access to your e-mail contacts. You’re basically trusting that the business will not abuse that privilege.

If a site is asking you for private information, it is best to back away until you understand what they’re looking for and why.

Weafer of Symantec suggests creating a dummy e-mail account to sign up. “That way you’re not going to have any contacts in there. It’s a dummy account solely for this purpose,” he says.

“Stop and think before you click and agree to something,” warns Berlyn with the Consumer Privacy Awareness Project. “A little bit of caution goes a long way.”

  • Enjoy this article? Help vote it up the 'Vine.

Back To Top | Front Page

Published to:

CSSinGA

These people gave this company the password to their private email program? Am I understanding this correctly? Why would anyone give out a password? Wouldn't you think that would have raised a huge red flag? Or did the Tagged program download what is basically a trojan that simply invaded the email program and grab all the contact info?

    Reply#1 - Thu Jul 23, 2009 1:12 PM EDT
    Howy61

    The article says they gave Tagged the password and since it is buried in the Terms agreement, it is likely legal, but highly unethical.

    Password/pins should be treated like SSN. Never give it out on-line without a really good reason.

    So should personal information like Mother's Maiden Name. Technically public domain, but my bank almost lost a long-term customer when they recently asked me for that piece of information for a Safety Deposit box lease.

      #1.1 - Thu Jul 23, 2009 1:35 PM EDT
      Dave-1233424

      I joined tag fairly recently and I recall bypassing an option that requested my email address and passwords. It was not a required step. If people thought about what they were doing more often there would be a LOT less problems.

      These prompts aren't unique to Tagged.. I got asked when i created a facebook profile and seem to recall something similiar with myspace.

      It all boils down to personal responsibility... which is severely lacking IMO.

      -D

        #1.2 - Thu Jul 23, 2009 6:58 PM EDT
        Reply
        setjeff-1Deleted
        Katiemom

        I am glad to see someone is finally going after these crooks! They hacked my sister in laws address book and I got an invitation to join. Their registration page(s) come up cleverly with the top 1" cut off, and if you don't pay intense attention, you wind up signing up for text and messaging services you don't need or want. I would up with charges on my cellphone and land line from them. Fortunately, it wasn't too difficult to get them removed, but I did file a complaint against them with the FCC for deceptive practices. Needless to say, I immediately cancelled my account with them when I found out my sister in law never sent the e-mail. If you get anything from them, just ignore and delete.

          Reply#3 - Thu Jul 23, 2009 2:00 PM EDT
          Don-385532

          Wow, I guess that is why I keep getting invites from people I don't know. Why in the world would someone give their email password to anyone?

          I'll be marking any future messages from Tagged as spam.

            Reply#4 - Tue Jul 28, 2009 5:38 PM EDT
            Viper Blade

            They aren't the only one! I've been recieving emails from my ex-wife thru a site called my dailyflog or dailyblog something like that anyway. After sending a cease and disist. I still getting this junk from the witch.

              Reply#5 - Sun Aug 23, 2009 2:54 AM EDT
              breelaboyDeleted
              Leave a Comment:
              You're in Easy Mode. If you prefer, you can use XHTML Mode instead.
              Newsvine Privacy Statement
              As a new user, you may notice a few temporary content restrictions. Click here for more info.