What are these networks?
Drawing comparison to the real world social networks are similar to large gatherings of friends past and present. Each individual invites his or her circle of friends and their friends invite their circle of friends and so on. As you can imagine, these networks quickly grow as more people invite more of their friends.
My hi5 network for example has 14 friends; 5 or 6 of whom I speak to on a regular basis. My "extended network" however, consists of 473 people. When I visit my hi5 home page pictures of some of those in my network are displayed. Unsurprisingly it shows members of the opposite gender who are around my age. The idea behind these social networks is great, however it seems that some sites use our social nature to exploit us.
The problem!!
So what is the problem with these social networks? These sites provide# you with an interface which allows you to communicate chat and share pictures with other people, all for free. Free is never without a capital F however. In order to make money, the social network sites may offer premium services, or advertise. The more members they have, the more popular their site becomes and, the more popular their site the more money they can make.
In recent months I have had growing suspicions in relation to these social network sites regarding their use of personal data held on their members. I first became suspicious when a friend had told me that the invite supposedly sent form her had not actually been sent by her. In fact, she had never visited the site before. Not long after, another friend told me she had been infected by a virus which sent email supposedly from her containing a link to a video. The email had been sent to everyone in her hotmail address box which she only ever logs into via a web browser. The actually PC showed no evidence of having been infected by a virus. So I came the conclusion that this is some kind of Internet based worm, which logs onto your hotmail account and sends out emails to everyone in your address book.
I therefore decided to do a little investigation. I clicked the link in my friends email and signed up to ringo.com using a bogus hotmail address. It was after entering a few of my details that I discovered what I believe to be the root of the problem. Ringo asked for my hotmail password. After supplying it, it logged onto my account on my behalf and obtained a list of email addresses from my address giving me option of sending one or more of them an email invite. This rang alarm bells straight away. What does Ringo do with my password? Why ask for your Hotmail login when Hotmail actively discourages giving out your password and provides facilities that enable you to export your address book to a file on your PC?
My next stop was Ringo’s privacy policy. I delved through it to find out exactly what they do with the data you give them. Of striking pertinence was this comment:
Do you send unsolicited emails or direct mail?
Ringo absolutely, positively does not use the emails or postal addresses it collects as a source for unsolicited emails or unsolicited postal mail.
Alas, maybe not. But upon reading further I found this:
Ringo may develop special sites in cooperation with other companies. If you register at these "co-branded" sites, we share your registration information (such as name and email address) with that company.
A contradiction? No. Ringo are simply saying that they may pass the details you give them onto other “co-branded” sites. Unfortunately they do not mention whether these “co-branded” sites must adhere to the guidelines in their privacy policy and more worryingly they do not say exactly what information they will share with them and what these sites do with it.
While Ringo do not condone spamming and would “never” send unsolicited email to you or on your behalf. How does one know what their co-branded sites do with information such as the contacts in your address book and your hotmail password?
Sites like passport.com (the authentication engine behind Hotmail’s login) have very strict guidelines on the handling of personal data. Looking at their privacy policy we see the following:
Except as described in this statement, we will not disclose your personal information outside Microsoft and its controlled subsidiaries and affiliates without your consent. Some Microsoft sites allow you to choose to share your personal information with selected Microsoft partners so that they can contact you about their products, services or offers. Other sites, such as MSN, do not share your contact information with third parties for marketing purposes, but instead may give you a choice as to whether you wish to receive communications from Microsoft on behalf of external business partners about a partner's particular offering (without transferring your personal information to the third party). See the Communication Preferences section below for more information.
Some Microsoft services may be co-branded and offered in conjunction with another company. If you register for or use such services, both Microsoft and the other company may receive information collected in conjunction with the co-branded services.
We occasionally hire other companies to provide limited services on our behalf, such as handling the processing and delivery of mailouts, providing customer support, hosting Web sites, processing transactions, or performing statistical analysis of our services. Those companies will be permitted to obtain only the personal information they need to deliver the service. They are required to maintain the confidentiality of the information and are prohibited from using it for any other purpose.
Put that in two short sentences. Microsoft will “ask” you if you wish to share your personal information with their partners. They also say that external companies my be given certain information but in the event that they are they must conform to their guidelines.
It is not my place to say whether or not Ringo are acting immorally here, I leave that for those who are reading this blog to decide. What I will say is that they are treading on very thin ice with regard to their use of their members’ data and are almost certainly in violation of passport.com’s conditions of use in asking for their members’ hotmail password.
In conclusion, it is without a doubt that some of these social network services are misusing the data their members are giving them. They are using this data “hotmail passwords” in particular to login to accounts and send mail shots on behalf of the unsuspecting users. These passwords are obtained through a simple social engineering concept: the implicit trust an individual gives a site due to a personal invitation received from a friend. The irony is, this friend may never have sent the invite in the first place.
My advice to anyone who is reading is: DO NOT give out your hotmail password or any password relating to another site or service away to a third party. This includes e-messenger services too. If you have already given it out then change it immediatly.
Below are a couple of the sites I have been pointed to when receiving invites from friends who did not send them. Sign up to them at your own risk.
www.ringo.com
www.sms.ac
