What Did You Expect, Exactly?

Posted on September 3, 2007

From the "duh" file:

One site that’s catching people off guard is Quechup: we’ve got a volley of complaints about them in the mailbox this weekend, and a quick Google reveals that others were caught out too.

The issue lies with their “check for friends” form: during signup you’re asked to enter your email address and password to see whether any of your friends are already on the service. Enter the password, however, and it will proceed to mail all your contacts without asking permission.

I don’t know why anybody would be surprised by this. You gave them the username and password to your e-mail account! You should be happy that all they did was use it to spam a few people, and not, say, e-mail a death threat to the President in your name.

I’m a little appalled that reputable sites like Facebook continue this practice of asking users to hand over the credentials to their e-mail accounts:

They are training an entire generation of users that it’s a good idea to hand out your passwords to random Web sites. News flash: it isn’t.  Do you really trust some random site enough to hand over the keys to your personal data to them?

Defenders of the legitimate sites that do this (like Facebook) will point to that little gray disclaimer at the bottom of the image above to assure us that everything is OK. Well guess what, Quechup has a disclaimer too: 

But you have to read the whole page to realize that the big red disclaimer doesn’t mean as much as you think it does. Check out this much larger screenshot of their give-us-your-email-password page to see what I mean. In smaller, less bold text, they actually kinda-sorta warn you of what they’re about to do, though in weasel-word language that obscures the truth:

Complete your account details below & we’ll check your contacts for matches on Quechup so you can choose who to invite to your Friends Network and invite non Quechup members to join you. By inviting contacts you confirm you have consent from them to send an invitation.

This makes it sound like you will have the option to send an invitation, not that Quechup will automatically send one for you. But they follow that immediately with this:

Quechup will not spam or sell addresses from your contacts.

… which probably put to rest the fears of the tiny minority of people who actually realized what they were agreeing to. 

So what? Well, if there’s one thing we know after more than a decade of building the Web, it’s that people don’t read Web pages. They just don’t. At best, they skim over them looking for the key points. That means that their big takeaway from these pages isn’t the tiny disclaimers, it’s that it’s OK to hand over your password to any site that promises you something shiny in return. And it’s not.

Look, once you’ve handed over your password to somebody, they can do whatever they want with your e-mail account, including reading your mail, sending messages in your name and selling your address to the highest bidder. The only guarantee that you have that they won’t do these things is their word – and the Quechup example shows how much that’s worth.

"But Facebook wouldn’t do that!" you say. How do you know? Have you read their privacy policy? Do you know if it contains any "gotcha" language like Quechup used?

Any reputable site that follows this practice should stop. I’m looking at you, Facebook. You’re training your users to do Bad Things, and other, less scrupulous people – people like Quechup – are taking advantage of that.