HD DVD / Randomness... : Privacy

Is A Picture Worth 1,000 Spams?

ptorr — Thu, 18 May 2006 06:40:00 GMT

Every now and then, one of my friends will send me a link to an on-line photo album that they’ve created at one of the commercial photo-hosting sites. Unfortunately, I’ve never actually seen any of these photo albums because these sites all require you to “Create an Account” in order to view the album.

No thanks.

Here’s the thing: I understand that the website is providing a service (hosting photos), and that that service incurs costs for the website. I would be more than willing to pay a reasonable fee for that service, but no such “reasonable fee” exists. Let me explain. (And let me also explain that I’m not singly out any particular website, or even photo-hosting sites in general; it is any website that wants you to sign-up to get “low value” content).

Imagine for a moment that we had some form of micropayments or e-cash and that it was easy for people to buy and sell goods anonymously over the internet at large. Now I can decide what viewing a photo-album is worth to me, and what I think it should be worth to the hosting company. I might decide that it’s worth a dollar, or maybe twenty cents, or maybe five dollars; the exact value doesn’t matter. But I know what “spending a dollar” means, and I can relatively easily make the decision as to whether viewing those photos is worth $1 to me (and that the hoster deserves $1 for providing the service – note that even if I had infinite resources, I still wouldn’t want to be ripped off to the tune of hundreds of dollars just to see a couple of pictures).

But the currency of the internet isn’t cold hard cash, it’s PII (Personally Identifiable Information) – your name, e-mail, age, and anything else you are willing to cough up. There are two problems with this:

I don’t know how much giving up my PII is going to cost me in the long run
I don’t know how much my PII is worth to the website in the long run

Looking at the first point, I know what “spending a dollar” means. It’s going to cost me exactly one dollar. If I spend the dollar on the photos, I won’t be able to it on a cup of coffee or a movie ticket or the next Pet Shop Boys album, but I’ve got a couple of spare dollars lying around for those other things, so it’s no big deal. I spend the dollar exactly once, and ten minutes later I’ll probably have forgotten about it. I certainly won’t be caring about that dollar next week, next month, or ten years from now.

But you can’t say the same for PII. It only takes you a few minutes to type it in (which, depending on how you value your time, may already put you well over the $1 threshold -- especially if you actually read the Terms of Service and the Privacy Policy) but once you’ve given it up you can never get it back. Now you might start getting “promotional offers” from the site in your e-mail and possibly your postal mail. They might sell your PII to a third party who will send you even more “promotional offers”, and this could go on indefinitely. Five years from now, even though you’ve forgotten about ever visiting the web site, you could still be getting spam from a bunch of folks who have your PII.

But wait, there’s more! If the hosting site or its affiliates, agents, successors, blah blah blah ever get hacked (or they lose their backup tapes in the mail, or they fall off the back of a truck, or... I’m sure you’ve read all the stories), your PII may land in the hands of real criminals. Now it’s not just unwanted e-mail or flyers from “legitimate” advertisers that you have to worry about, it’s malicious or fraudulent e-mail that might lead to spyware infection, identity theft, or something even worse.

Is it really worth that to you?

And on to the second part; what’s it worth to the website? Again, you probably have some idea of what $1 means to a website (because it’s the same currency that you use), but it’s impossible to quantify what the value of your PII is to them. Over time, they might use it to spam you; they might sell or rent your information to an unlimited number of other parties; they might combine it with other data from other websites to build up profiles of users; and so on. Note that these activities may not cost you anything (they don’t figure into #1 above), but they do provide value to the website... possibly a lot more than the $1 you might have valued the transaction at originally. So you’re effectively selling yourself short by giving away a goldmine of information for a couple of piccies on the net.

This is why you should always read the Terms of Service and the Privacy Policy and any other related documents before signing up to any web site. Even then, you’re not necessarily safe. Many sites effectively say “we reserve the right to change this at any point in time... you should come back and check our website regularly!”. But even if you bother to go back and re-read the site every so often (once a month? a week? every hour? How often is often enough?) it probably doesn’t matter. If they change their policy to be “We will sell all your PII to the highest bidder”, what can you do? It’s not like you can decide you no longer agree and take back your information. They’ve already got it hostage.

Now, some of this might sound sensationalist, and I don’t know how likely any of it is to happen.. I’ve never actually made it all the way through the ToS or PP for a photo hosting website, because usually after several minutes of slogging through the legalese I decide to cut my losses and close the browser. But as far as I’m concerned, it’s Just Not Worth It.

No such thing as a "free lunch"

ptorr — Mon, 29 Dec 2003 14:48:00 GMT

Raymond has had a few blogs about privacy policies lately. It has motivated me to write a little bit about a bad experience I am currently having through no fault of my own, although unlike Raymond I don't feel comfortable naming the particular company. After reading how negative this entry is, you'll understand why! Just consider this a general warning for how bad some of the web sites are out there, and always think twice (actually, even thinking once would be good enough) before typing your name and address into a web form.

The setup:

A few weeks ago, I received an email from a friend saying "Go to this web site and we'll both get free stuff."

"Yeah right," I say to myself, "TNSTAAFL."

So I cruise on over to the site anyway, just to see what kind of a scam they're trying to pull, and I go to the place that is supposed to tell me how my friend and I can get "fee stuff." Simple, the site says. It's a basic 3-step process:

Sign up
Tell friends
Get free "stuff"

It also claims "No hidden costs!" which is in direct violation of the TNSTAAFL theorem. Hmmm, let's dig a little deeper, shall we...

The skinny:

First of all, unlike your average web site, "signing up" involves giving them your full name, postal address, and date of birth. (Remember they already know my e-mail address because my oh-so-helpful friend gave it to them). And of course you can't lie about your postal address, firstly because that would be dishonest and be grounds for them terminating your account, but perhaps more importantly (at least from their perspective) that's where they'll ship the free stuff too, so it makes no sense to lie.

OK, let's assume I'm crazy enough to give them this information (obviously I'm not, for reasons we'll get to in a moment). Step two, "tell friends," is a gross mischaracterisation of what has to happen next. What step two really involves (per their helpful FAQ) is you convincing five other friends to sign up. You don't just have to enter five email addresses into the system - oh no - you actually have to get five warm bodies to go to the site and "sign up" themselves (see comments on step one, above). And of course, to be on the safe side, you're going to put in more than five addresses, just in case some of your friends (like me!) are too smart to sign up, aren't you?

Hello! Can you spell "Pyramid Scheme"?

Now let's assume for the moment that you only convince four people to sign up. Oh, sorry about that. No free stuff for you! But they do have your PII (personally identifiable information -- name and address) and that of four of your friends. And let's say that each of those friends got three people to sign up. That now makes 1 + 4 + 3 + 3 + 3 + 3 = 17 fresh names and addresses, for zero outlay on behalf of the web site. What a great business model! Maybe you should enter in some more names to increase your chances of getting people to sign up?

OK, so let's be optimistic and assume you got five "friends" (they won't be your friends much longer!!) to sign up. Let's move to step three, "get free stuff."

But wait!

You're missing the crucial (and conveniently "forgotten"-to-be-mentioned) step 2.5 - "Buy something from our advertising partners." Yes, that's right! Not only do yo have to scam five of your friends, but you have to purchase something from this web site's "advertising partners" in order to qualify for the "free stuff." Free isn't looking so good any more, now is it?

OK, OK, we'll pretend that you actually like one of these offers and are willing to shell out the cash on it to get your "free stuff" -- what next? Well, sure, they'll ship you you're free stuff. BUT, it's only a voucher for the free stuff, it will take 6 to 8 weeks to get there, and it's only valid for one month. (One can only hope that the one-month time bomb starts ticking after that two-month delivery delay, but looking at the rest of the site I wouldn't put it past them...). Obviously I never got this far into the process, so who knows what other loopholes and dastardly schemes await you when you try to take advantage of one of their "special offers" -- I can only imagine the horror.

So far, so... good? Maybe, I guess, if you really wanted that free stuff, didn't care about giving away your PII and that of your friends, and were going to purchase something from the advertising partners anyway. By the way, did I mention that the "free stuff" has a retail value of less than ten dollars? That's right, it's not even very good free stuff! (And you know that if the retail value is less than ten dollars, then the cost of buying vouchers at a wholesale discount is likely to be considerably less than ten dollars).

But the plot thickens. Not only does the site deceive you about the process of getting "free stuff," but they have the worst privacy policy I've ever seen (as Raymond says, all you have to do is disclose it; doesn't matter how bad it is!). Essentially the policy says (paraphrased):

We will rent or sell your PII (name, postal address, e-mail address, survey results, etc.) to any third party.

At least they don't mince their words! Gotta give them credit for being honest, I guess. They also have the usual stuff about tracking your progress around the site to provide targeted ads, but I am actually in favour of this -- if you're going to bombard me with ads anyway, at least make them ones I might be interested in.

Then they have a bit about how they are opposed to spam, how it is strictly against their policy, yada yada yada, and yet by their very own admission (above) they are willing and able to give your PII (at a profit!) to other people who have no use for it other than to, uh, send you unsolicited junk mail (that would be spam, duh!). Plus I've received at least three or four "reminders" from this site to sign up, even though I don't want to, and I count that as spam. I can't just block the mail as junk, because they are sneaky enough to send it from my friend's address (gotta love the built-in spoofability of SMTP -- imagine the flack we'd get if Microsoft ever invented such a horrible protocol!). I guess technically they could claim it's not spam since my friend "volunteered" the information (and thereby acted as a proxy for me), but it's still pretty shady.

In the end, it is user stupidity that lets this site succeed (yes, I'm calling my friend stupid in this regard. She knows :-) ). My friend simply got the invitation e-mail from one of her friends, clicked on the link, thought it was cool, filled in her name and address, and added the e-mail addresses of ten (not five, but ten!) of her friends to the site. Now she wishes she hadn't.

What this site gets is a list of people's names and addresses. It's a very valuable list, because not only does it contain your postal address (most spam lists on the internet -- e.g. those from newsgroup trawlers -- are limited to your e-mail address), but it is also highly targeted. Only those people interested in this particular type of free "stuff" would have signed up, so the list is pretty "clean" when it comes time to sell it to vendors of "stuff" who wish to spam you. It gets the list without breaking the law, because all users volunteer the information (including "leads" of new people to spam). It will rarely have to "pay out" to users, because nearly all of them won't meet the requirements. (Specifically, there will always be the "leaf nodes" at the edge of the pyramid who haven't signed up enough people yet, so at best (or worst) they only have to pay out 1 in 5 people, but it's likely to be a lot less frequent than that). To be fair (ha!), you can get "free stuff" without joining the pyramid scheme if you accept more offers from their "advertising partners", but that's not what they're advertising and it hardly qualifies as "free" in my book.

Even when the site does pay out, the value of the "stuff" is quite small. And the chances are that, just like mail-in rebates and other kinds of vouchers, most people never actually use them because either (i) they aren't in a situation to use the vouchers in the month before they expire, or (ii) they always forget the vouchers at times when they would be able to use them. I would bet that unclaimed vouchers cost the site nothing (except the original price of postage). Furthermore, the site probably gets advertising revenue and kickbacks from its partners, and gets to keep and market your PII in perpetuity.

One funny thing: The site's privacy policy says that you can opt-out of their database at any time by cancelling your account. Sounds like a good deal, yes? Not so fast, hotshot. Since the site can sell, rent, or market your information to any third party, they could conceivably "sell" it to themselves (under the guise of a separate entity, of course) as soon as you hit the "Submit" button on their registration form, so even if you immediately cancel your account (having realised it for the scam that it is) you are SOL (def: out of luck). The other site "bought" your PII and has no obligation to ever delete it!

My plea to you is: Don't do it! Always read the privacy policy of sites before you enter anything into them. Even then, you can only really trust the privacy policy if the site itself is reputable. One way to check if a site is "reputable" -- albeit not a foolproof one -- would be to see if they have an SLL certificate issued from someone like VeriSign (just go to their web site using an https prefix rather than http, and double-click on the lock that appears in your browser to view the certificate information). At least then they had to fork out some cash and give up their own PII in order to get the cert, so you can be fairly certain they're not complete fly-by-nighters.

Summary:

Let's count the ways this site is bad:

Sends e-mails from your friend's address, not from their web site address, so you can't block the spam
Misleading invitation email (going to the site - and even signing up - isn't sufficient for either my friend or myself to get the free stuff)
Blatant lie in the "No hidden costs" advertisement (unless of course you consider having to buy stuff from "advertising partners" and having your PII sold to all and sundry as a "benefit")
Gross mischaracterisation of the process to getting "free stuff"
Pyramid scheme. Need I say more? :-)
Incites users to add their friends to the "please spam me" list (OK, this is more the fault of clueless users than the web site itself, but it plays on people's gullibility, which is bad).
Requires a purchase from an "advising partner" to quality for the free stuff. The site almost certainly gets a kick-back from this purchase
More than likely also gathers ordinary advertising revenue from those same "partners"
Ships ridiculously short time-limited vouchers of minimal value after an overly-long delivery delay
Mathematically guaranteed that over 80% of their "users" will never actually qualify to receive the "free stuff" as advertised, even after giving away their PII (and the PII of their friends)
Maintains the right to sell / rent / market all the PII to whoever they want, whenever they want. Theoretically you can never be removed from their database, even if you cancel your account
They can simply decide to stop offering deals from their "advertising partners" at any point in time (thereby making it impossible for users to qualify for further "free stuff"), and live off the profits of their highly targeted e-mail and snail-mail marketing database
Claims to have a policy against spam, when they send spam themselves and enabling other spammers is clearly part of their business model!

Bonus section:

If you read the privacy policy down to the end, it says (paraphrased):

We use awesome security measures to protect the loss, misuse and alteration of your PII.

Surely the missing "against" is a mere typo... or is it? (Cue spooky music, with thanks to Eric!)

It's not just me:

A quick Googling of this company reveals that it is mentioned on a well-known "urban legends" web site and their e-mail practices have come under question from other people before.

Wrap-up:

We already have enough criminals, spammers, credit card phishers, 419-scammers, fraudsters, and other all-round "bad people" ruining the internet for everyone else -- don't voluntarily get yourself (and your friends) involved in web sites like this. Please, please, just take a second to think before you sign up for "free stuff" on the 'net.

...and I'm spent.