Spyware Sucks

Wow! It's been a while since I've seen a Web 2.0 startup become the target of such widespread negative press....

Note: I did my best to ensure that Quechup did not have access to any address books stored on my local PC, but there is one page, http://quechup.com/contactoutlook.php, that caused some disconcerting symptoms.  I run IE7 on Vista with Protected Mode enabled, and I emptied my default address book before starting, but I've learned in this business that anything is possible when you are playing with fire. My apologies in advance if anybody receives a Quechup mail from me

Robert Scoble says of Quechup (8 September 2007):

"This service sucks. Do NOT try it out."

David Lewis of Reve News says (7 September 2007):

"In its overzealous need to prove that it is a growing Web 2.0 start up, Quechup has turned its site into no more than a virus"

Dwight Silverman of TechBlog says (4 September 2007):

"Incidents like the Quechup scandal erode the very foundations of the Internet. A friend described it as "just a blip," and you know that? That's so true. And so sad.  When trust is lost, all is lost."

and (1 September 2007):

"Be smart, and stay away from this site. It's got serious ethical problems with the way it recruits new users."

Matt Dickman of Techno//Marketer says (1 September 2007):

"I am sorry and totally sick about falling for this stupid trick. Their site is horrible and obviously run by people who either don't know how this works or are just unethical in their handling of data."

Lora of whatisnew.com writes (8 September 2007): 

"I am sorry that I logged into Quechup, sorry that they stole your email addresses and spammed you. I feel helpless about it. I apologize. Please do let me know though if you’re on LinkedIn or Facebook (family and close friends, MySpace) and I’ll gladly add you."

Note Lora's comment that "Mistake #2: Facebook and MySpace politely will check your email address lists and tell you who is registered on their sites. Quechup had the same feature - or so I incorrectly thought - and I went into that section, then canceled out. My “click just to see” got me into trouble. Apparently, Quechup still sent the invites to everyone in my @hotmail.com address book."  

I saw something similar when I clicked on an address book check link mentioned at the start of this article.  The page froze IE7 and never completed loading - and there was something weird to left of screen.  A tiny snippet of code was exposed ("{literal}"), together with evidence of an embedded control.  To all intents and purposes, with IE7 running in Protected Mode, it should not have been able to access any of my address books, but one can never be sure.

Jay Lee, writer for the Houston Chronicle and creator and host of Technology Bytes Radio says (3 September 2007):

"Quechup has now sent multiple e-mails to all of my contacts inviting them IN MY NAME to join the service.  This is quite embarrassing. My contact list contains the addresses of all my friends as well as listeners to my radio show and readers of my column who I have corresponded with in the past.  As of this writing I have been thanked by some, questioned by others and had some very unpleasant things wished upon me and members of my family."

I must admit, this comment in response to Jay's story is just too exquisite not to repeat - I couldn't help but laugh:

"Instead of a cool new social networking app, it looks like just another mad junior high wankoff to tally up friends."

Then, indicating that Quechup's tactics are proving to be a rip-roaring success he says (4 September 2007):

"Traffic to baldheretic.com is through the roof right now.  We’ll see if the site can hold on and weather this category 5 Internet hurricane.  Also, still fielding responses to the invite coming in at a steady pace as well as over 100 invitations to join Quechup."

Then I read about a guy by the name of Matt Staggs who was fooled.  Matt wrote (31 August 2007):

"During the registration process, the site asked me if I'd like to see if anyone in my address book was already a member. Stupidly, I said it could go ahead.  Little did I know, the damned thing spammed every single contact I had, from work associates, to friends, to relatives, to even people I don't recall ever meeting. Every single one of them received an invite supposedly from me to join this service.  Now - at 8:50 p.m. at night - I find myself sending apology notes and warnings to the near 1,000 individuals I have in my address book. Very professional looking. Very smooth.  Anyway, if you're one of the people who supposedly received one of these "invitations," do NOT accept it. Delete it. I don't advise that you do any business with these people at all, and finally I am truly sorry for any inconvenience this may have caused for you."

Ok, so Matt is pissed off like so many other people, and his knee jerk reaction of writing to everybody in his Gmail address book to warn them and apologize is understandable... but check out Google's reaction to his email blast.  Poor Matt says (31 August 2007):

"Gmail has temporarily suspended my email account in response to the warning email I sent out to the people on my address book cautioning them about the Quechup "invitation".  This is an automated response by Gmail because it can only assume that I am spamming people because I sent out so many emails at once. The irony is killing me. As part of this suspension, I am also forbidden from setting an automated response message on my account, or forwarding email to another account. I am hoping that my suspension won't last long, and my attempts to reach anyone at Google have been utterly fruitless."

A Google Blogsearch reveals a maelstrom of complaints about Quechup:
http://blogsearch.google.com/blogsearch?q=quechup&rls=com.microsoft:en-US&ie=UTF-8&oe=UTF-8&startIndex=&startPage=1&um=1&sa=N&tab=wb

Ok, so it's time to take a look at this Quechup stuff and see if we can try to work out what the hell went wrong - how can so many net savy people have been fooled?  Let's have a look at the page in question, where Quechup prompts you to scan your address book (screenshot 9 September 2007):

It's quite obvious why so many people were fooled.  Quechup lied.  As you can see from the screenshot they say:

"...we'll find matches so you can add them to your friends network and **choose which non members to invite to join Quechup**. ... **We will not spam** or sell addresses from your contacts".

Hang on a goddamn minute.. they've changed their page!!!  Look carefully at the screenshot below - it says "so you can add them to your friends network and invite non Quechup members to join you".  This screen shot is from a blog entry dated 2 September 2007.

Oh, and a special note for those behind Quechup... the fact that you have put some of the new text in red, and in bold, is not reassuring at all ... actions speak so much louder than words!!!

Here is a screenshot of an older version of the Quechup page.. thanks to the blog in question for posting this, or we would never have known that things have changed.

As far as I can see when trawling the blogstorm about Quechup, nobody featured above has been given an opportunity to "choose" who is going to get an email about Quechup, even Lora whose blog is dated 8 September!!  I warn you, even if it turns out Quechup has changed the way they do things, DO NOT TRUST THEM!!  You cannot trust somebody to do the right thing going forward when they only changed the bad behaviour because they had been caught.  Just like you can't truly trust somebody who's behaviour is governed by what they are told is right, as distinct to what believe in their heart is right.

Next I had a look at the terms of service and privacy policy of both sites... I can't find anything specific to their actions, but then I read eWeek, which quotes Chief Security Analyst Mark Sunner of MessageLabs, Gloucester, England.  Mark says:

"In terms of what they're doing, it's incredibly antisocial, and we take a dim view of this sort of activity. But unfortunately they're covering themselves … buried in the small print," he told eWEEK. "When people subscribe, they're giving permission, probably without realizing it, for these messages to be sent."

I have read, and re-read, and re-read the Privacy Policy and Terms and Conditions of Quechup and can't see where users are giving permission for such wholesale spamming...  who knows, maybe they have been changed, just like the page highlighted above.

What are the lessons we can learn from incidents like Quechup?

First, what the hell are people thinking when they gave their Hotmail, Yahoo, Gmail or AOL usernames and passwords to a web-site like Quechup, simply because a 'friend' asked them to do so?  Are all of our education campaigns about the dangers of phishing and cyber criminals being neutralized by a desire to have as as many 'friends' as possible on whatever social networking site is your personal favorite?

And as for allowing a Web site access to your locally stored Outlook or Outlook Express address book - well, the mind boggles.

I've complained in the past about sites that desensitize us to dangerous behavior, and social networking sites can fall into this category.  Seriously.  In the end there is no difference between clicking on a link in an email from a 'friend' and handing over your address book, or giving over personally sensitive information like email account usernames and passwords, and clicking on a link in an email and giving over your PayPal or eBay username and password or, heaven forbid, your banking account username and password.  Yes, I know, there is a big difference between the potential damage caused by exposure of your email username and password and the username and password for your online banking service, but the reality is the former desensitizes you to the danger of the latter.

I ask you, when you review your email address book, or your address book on the various social networking sites out there, how many of your 'friends' have you actually met in real life.  Sit down and do an audit.  How many have you shared coffee with?  Stood in the same room as them?  Breathed the same air?  When we realize that we have not met so many of the people that we interact with online, why is it we are so quick to click first and ask questions later?  Why do we share our address books with a Web 2.0, social connection site, simply because our friend has also done so?  In many ways it reminds me of the total inanity that was the 'I love you' virus.  Many people received alleged love letters from remote acquaintances and opened the attachment. Did none of them ever stop to consider that it was really weird that they were receiving such a letter from that particular correspondent?  I remember asking one idiot if he had paused to consider the fact that it was just a little strange that he, a male, was receiving a love letter from a superior in another country that he had never actually met!!

Anyway, if those behind Quechup think that they can ride out this blogstorm, and that if they wait long enough the negative press will all go away, then they have another think coming.  I, for one, have a long memory, and so does the rest of the blogosphere.  Then there is the problem of Google and other search engines.  A Google search reveals negative press starting from link number 2.  A Google News search is all negative.  The same goes for a Google blog search.  In short, iDatecorp, you are seriously screwed.  Time to shut down your site and go home.  I can only hope that all of the negative press, and the lessons learned, will stop people from falling victim to future versions of Quechup and the like.

Here's a scary thought for you - let's hope that Quechup and the like are not simply sites owned by spammers who have hit on a brilliant idea to harvest as many live emails as possible....