Rapleaf Spams You Then Asks for More Addresses to Spam

« Security Researcher Underscores Tor's Last-Leg Shortcomings | Main | China's "Great Firewall" Runs on Fear »

September 11, 2007

Rapleaf Spams You Then Asks for More Addresses to Spam

If you value your friends, don't search for information on them on Rapleaf: They'll get spammed with a message designed to create just enough unease to panic them into signing up for an account, at which point they'll probably set someone else up for more spam.

This morning I checked my inbox and learned that someone has been looking for information about me on Rapleaf. I know this because my "friends" there decided to send me a notice:

Dear xxxxxx,

Someone researched your reputation on Rapleaf by searching "xxx@xxxx.com."

To view (or update) your profile, check out:

http://www.rapleaf.com/pub/xxxxx

Why does this matter?

Someone is interested in learning about you for business or personal reasons.

You are now aware of what information about you is publicly available on the internet.

You now have the opportunity to take control of your information and privacy online.

At Rapleaf, you can find such information as age, location, history, social network links, and more on over 60 million people. And you can make all or some of the information about yourself private.

-Your friends at Rapleaf.com
www.rapleaf.com

What a skeezy pitch!

And actually, it was several spams. One for each of several addresses.

Rapleaf isn't doing anything illegal. It's just harvesting what's out there. In this case it was funnier than not because the address it notified doesn't have any accounts on any social networking sites, Amazon wishlists, or any of the other stuff Rapleaf trolls for. Then it offers you a way to make all that information as available as it was before Rapleaf went trolling for it if you just trade away a bit more of your privacy by signing up for an account and, indirectly, validating Rapleaf's data.

Because I am interested above all else in science, I went ahead and let my throwaway account be a guinea pig to see what registration with Rapleaf might get me. The account isn't connected to anything, so there wasn't any data to validate.

Rapleaf had a message waiting for me on my new profile page:

"By creating a Rapleaf reputation, you have taken a step towards a society where it is more profitable to be ethical."

How comforting.

Rapleaf offers new members the opportunity to upload an address book from Gmail, AOL, Yahoo, Hotmail or Outlook, which is how I think I must have earned the three spams Rapleaf sent my way this morning. I didn't take that step because I had a suspicion I'd be setting up a bunch of friends and coworkers for a scare-spamming.

According to Rapleaf's privacy policy, those addresses are classified as non-personally identifiable information (non-PII). While the company says it won't ever "sell, rent, or lease email addresses to clients or third-party marketers," it's happy to use non-PII data for "targeted advertising," where the targets are, apparently, anyone in the address book of anyone signing up for Rapleaf, or any e-mail address someone searches for on Rapleaf.

I wonder what this does to anonymous profiles in cases where someone's friend has multiple address book entries for a given name?

Let's say, for instance, I have an imaginary friend named Chuck. Let's say my imaginary friend is a deacon at his church. Chuck's MySpace and Facebook pages reflect that he is a devout Methodist who loves his children and married his high school sweetheart. Let's say the address Chuck uses for all his online wholesomeness is "chuck@wholesomeness.foo."

At this point, Rapleaf knows three things about Chuck: His e-mail address and two social networking sites he maintains presences on.

Now let's imagine Chuck has a curious hobby. Maybe Chuck really enjoys consensual bondage. Enjoys it so much that he has his own domain ... "consensualbondage.bar" ... where he has a blog. Chuck's not interested in his co-religionists knowing that about him, not because he thinks it's wrong, but because he's not dumb enough to think there's no stigma attached to his hobby. So Chuck has been careful about his online life: He's paid a little extra to anonymize his domain registration. He only uses the address "leatherdaddy@consensualbondage.bar" when he's registering for social networks where he wants to be able to talk about his hobby.

At this point, Rapleaf knows three things about someone who goes by "leatherdaddy@consensualbondage.bar:" It knows that he's got an Amazon wishlist that's sort of naughty, a flickr page with pictures of consensual bondage people who read his blog send to him for posting, and that he's "leatherdaddy" on several social networking sites.

The thing Rapleaf is missing is any connection between this "leatherdaddy" character, master of the flog and knot-tying king, and "chuck," Methodist deacon.

So let's say Chuck and I have known each other for a long time ... 20 years. Let's say I was his best man, even. Let's say that Chuck even kept his hobby from me for a long time. Then one day Chuck slips up and sends me a mail with a reply-to of "leatherdaddy@consensualbondage.foo." Because my spam filter nearly caused me to miss the mail, I add the leatherdaddy address under Chuck's entry in my address book as an "other" e-mail so it'll be whitelisted in the future. The next time I see Chuck, I ask him about the address thinking there might be a funny story, and he decides to confess to me that he and his wife love to go to costumed sex parties where he ties her up and spanks her. He makes it clear that this is a secret of his ... one he's not interested in sharing with anyone and that he'd probably not have even told me if he hadn't slipped up.

Suddenly, I'm in possession of some information about Chuck that I know I'll never share willingly with anyone else, but I've probably forgotten it's in my address book, or it doesn't occur to me that my address book is interesting to anyone besides me.

So when I get a scary spam from Rapleaf telling me someone's looking for information on me, after I get over my initial panic that Rapleaf has somehow gathered information I haven't already made public, I decide that this whole thing might be kind of cool. The privacy policy says Rapleaf will never sell e-mail addresses, so I upload my address book, the better to see who I know that's already using the service.

Now Rapleaf has that missing connection. It's got a record that strongly suggests "leatherdadddy@consensualbondage.foo" might be the same person as "chuck@wholesomeness.foo."

What's next for Chuck? Do his two distinct profiles commingle at that point? If they don't now, might they eventually? I don't know, and I don't want to set more people up for spam from Rapleaf by looking around for similar situations among my friends.

Whatever happens, Chuck will get a message pointing out that the connection is there to be made, and that if he wants that connection re-obscured he can sign up for an account or send an opt-out mail:

An individual may request information removed for a given email address by emailing opt-out@rapleaf.com. This email address and information pertaining to this email address will no longer be displayed on the Rapleaf site and will be physically removed from Rapleaf's databases.

But Rapleaf's just a subsidiary. Is that connection still around somewhere else? Like Upscoop or Trustfuse? Rapleaf's not really on the hook for having the information: It didn't get it illegally, so if it happens to pass the connection along to its corporate parent or sibling before removing the record, the information's still there and still reusable at some future point.

Chuck's never going to know one way or the other, and he's never going to know who saw that connection before he managed to opt out (or sign up and remove it that way).

My imaginary friend's potential embarrassment is limited in harm to what connections Rapleaf might ferret out and publish. Imagine that connection as part of the services Rapleaf sells, and let's make Chuck's alter-ego a member of a group for people with a rare but curable disease, labor activists, or any other demographic employers can't fire for, but won't hire either. Rapleaf sells the connections and relationships it accrues to make it easier for marketers to automate research. Or, perhaps, for an employer to dump a list of e-mail addresses harvested from the week's received resumés to see if there are any troubling connections.

If you pause to consider the storied failings of Web censorware, which sometimes blocks sites because they link to a site that links to a site with "objectionable content," you get a hint of why a skittish HR department with a database of every single online group, list or "network" you belong to along with any connections your friends may have inadvertently provided is not a happy prospect.

Because the online world is fueled by hyperbole and overreaction, a certain type of personality is going to suggest two things pretty quickly in an effort to be the lone voice of reason in a mob of pitchfork-wielding privacy nuts:

The whole (hypothetical) situation is Chuck's own damn fault. He screwed up the day he forgot to check which address he was mailing from, then he screwed up by not making sure his careless friend deleted the mail and didn't record the address.
Rapleaf's not being "evil" because facts are facts ... aggregating and presenting them is ethically neutral, no more laden with moral import than telling a stranger the time.

I'll happily concede that Rapleaf is not evil. I'll even concede that the whole thing is Chuck's fault, to the extent he started the chain of events in motion.

Does that make Rapleaf seem any more desirable to you? It doesn't to me, and I'm pretty sure it's a service I'll do my best to avoid helping out in any way I can. And it provides another moment to stop and think about the services it's harvesting information from. Are any of them worth what another Rapleaf could make of them?