In pursuit of spam-free living
(This is a post that’s been banging around in my head for some time. Tony’s well-titled post about his distaste for Quechup abusing access he gave to his online address book, served as inspiration to sit down and compose. As for Tony’s warning, I did not respond to the Quechup invitation, primarily because I am put off when I receive an email from a website I did not give my address for the reasons I will state below.)
I feel that websites hurt us all by training people to provide friends’ email addresses to third parties (e.g. websites). I consider the “email this to a friend” forms on websites the online equivalent of a stranger on the street asking me for a friend’s email address. Sure, the site will email the article to the friend, but I have no idea what will be done with my friend’s email address after that. Options include: nothing, send spam, sell it to a spammer, store it on a server to be hacked into at some point in the future, etc.
Even more dangerous are the “friend finder” tools offered by social web services (e.g. Facebook) that have people provide their authentication credentials for online address books and that identify their friends by email address. By allowing authentication through third-party servers, the major social mapping services (AOL, Google, MSN, Yahoo!) facilitate third-party access to not only contacts’ email addresses, but also members’ authentication credentials (anyone who logged into Quechup: you may want to change your Gmail password).
In consideration of spam’s tremendous drain on productivity, I wish websites were designed to encourage better habits – social norms less prone to abuse by potential spammers. What’s so difficult about providing visitors with a link they can share with others through their own email client, authenticated channels (IM and other social networking tools), or their own website? Word-of-mouth will always be the most effective marketing. Not only because of the credibility lent by the mouth’s reputation, but also because sales often takes repeated pitches. I may wait to try a service until I’ve heard about several friends using it. After spamming invitees, sites like Friendster now provide the invitee the option of instructing the service to never email them again. Well, if invitees select that option upon the first invite, there goes a shot at repeated sales pitches!
Responding to my rhetorical question above, I realize that many people are not familiar with the technical details on how the internet works – including seemingly basic tasks like copy and pasting links into emails. I also understand the demand to recognize people you know using the same services as you. Unfortunately, the common solution to this second problem often includes handing over the contact information for everyone the person knows. I want to identify people I know using the service, but I don’t want to give websites access to the contact information of everyone I know. Fortunately, the social graph is portable and smart services allow their members to take their social mappings with them without exposing their authentication credentials or others’ contact information.
I do not think an open social graph is the answer – I will only map my social network when I can retain access control to the social mappings.
I admire user experience designers that take a broader view of the choices they make: thinking not just about the experience of using the product or service itself, but also how the offering fits into people’s lives and will affect society. Design in a way that enforces habits consistent with the social contract of respecting privacy and discourages habits leaving people susceptible to unintentionally jeopardizing the privacy of others for whom they care.
p.s. I’ve heard an argument that by forwarding an email address to Gmail, you may be violating a social contract not to share their personal conversations with The Google. (Again the whole “fear The Google” thing.)
Facebook
Twitter
Digg
StumbleUpon
email
2 Comments
This is a difficult area to get right and clearly a lot is going to depend on your personal risk aversion.
Personally I am willing to use the contact importers on social networks. I’m hesitant to start using a new social network though which usually means word of mouth and extensive press coverage. So far this has been sufficient to avoid the overly aggressive companies. Another thing I look for is a chance to review my contacts before emails are sent.
I think progress is being made by Microsoft on the email an article to your friends issue with their Windows Live Contacts Control Beta. Using that your authentication details are secure and the website will only see the contacts you select.
http://dev.live.com/contactscontrol/
That’s only a partial solution for the social networks though where seeing who of your contacts are already members (out of all of your contacts) requires complete access.
“Fortunately, the social graph is portable and smart services allow their members to take their social mappings with them without exposing their authentication credentials or others’ contact information.”
Care to elaborate?
Disclosure: I’ve developed, documented and posted about several open source contact importers on my website.
To understand my point, zoom out beyond yourself. You may not be spamming your friends, but are your friends inadvertently spamming you?
The Quechup incident (not to be confused with Gn’R's “Spaghetti Incident?”) demonstrates the downside of using contact _information_ importers. Malicious websites can take advantage of our habit to hand over authentication credentials to our records of others’ contact information. The end result is an out-of-control chain letter, spreading like the viruses that target Outlook address books. Those answering the website’s call to action inadvertently spam their entire address book (sometimes everyone they’ve ever emailed due to the trend started by Gmail of automatically adding recipients to the address book), and the chain continues. Worth noting, many of those falling prey to the Quechup virus are web-savvy individuals – those most prone toward trying out new web services and wanting to know which of their friends are already using those services.
To me, the solution is not limited to being scrupulous about only handing over the keys to the castle to good websites – it’s for good web sites to help us establish habits that don’t leave us susceptible when unknowingly visiting the bad sites. A similar example is the training banks are now trying to do in response to phishing campaigns.
I have friends that continually provide my email address to websites, despite my repeated requests to not do so. These people are not going to change – if we’re going to tackle this problem, the design will have to adapt to the people, particularly those least savvy about how this whole “web” thing works. I am happy to see some folks online moving in this direction.
In response to your request for elaboration…
Web services that store mappings of their members’ social networks can enable their members to import those social maps when using external web applications. As you know, that’s happening today, but identification of nodes is being done primarily with email addresses, a medium prone to spam.
I prefer solutions that offer unique identification through some means other than contact information. Perhaps lost in the hype of F8 and the use of social maps with applications accessed inside Facebook, Facebook does allow for porting of social maps to external web applications. As part of a class, I built a web application hosted entirely outside of Facebook that imported friends identified through Facebook. From what I’ve read, many other services are now recognizing the demand for their members to port their social maps when using independent web applications.
To be clear, I’ve been impressed with your work on contact importers. You’ve made the most of access methods available today. I think it’s time for the online address books to recognize the demand those contact importers serve along with the risks involved with how things are designed today and make their own offerings more robust in regards to privacy, security, and flexibility.
A great visual depiction of how contact importers work today (I Can Has Cheezburger style):