Spam-a-lot
Posted by Shane Keats on January 18, 2006 01:39 PM
Friends have told me that when they start using SiteAdvisor for the first time, they enjoy looking up our profiles of their favorite Web sites. But in some cases, they’ve been unpleasantly surprised to learn that their favorite sites’ e-mail practices are less than stellar.
Most Web users have given up trying to figure out the origins of their inbox spam and commercial e-mail. Some think it just spontaneously appears. More practiced users know about dictionary attacks, wherein a spammer sends e-mail to JohnSmith@, and JohnASmith@ and JohnBSmith@ and so on. Others might imagine that their address was sold, or maybe a site was bought by someone else who then changed the e-mail privacy policy. But there's no easy way to figure out who sold a user's address, or exactly how a user went wrong.
SiteAdvisor cuts through this confusion by signing up at every Web form our crawlers find using a unique, single-use e-mail address. That way, we can actually track commercial e-mail back to its roots. We've registered at more than 800,000 websites so far. For any piece of e-mail we receive, we know the original form where we signed-up that caused us to receive that e-mail. (You can see a more detailed explanation of how we perform this analysis.)
Today, I want to focus on some examples of Web sites where sign-ups resulted in a significant amount of commercial e-mail. In fact, like the download round-up last week, I’d like to make this a regular feature. (Let me know what you think.)
To be clear, we're not necessarily talking about sites that send spam in the legal sense. Many of the tested sites include language in their privacy policies which says that they may send commercial e-mail and that they may share users' addresses with third parties who will send more mail of their own. Now many sites aren't that clear about what they'll do, but a few are, and some even make these admissions on the Web page where you sign up. Still, we think most sites' disclosures are inadequate to let users make fully informed decisions. Among other important factors, users need to know how much e-mail they'll actually get before they can decide whether a site's offer is worth the price.
Let's start the rest of this discussion with a thought experiment. Suppose you're at a Web site that offers a "free product" in exchange for signing-up at their site. The freebie could be an on-line game or perhaps a chance at a sweepstakes. And let's assume that the Web site makes it clear that by signing up, you're agreeing that they can send you commercial e-mail and share your information with their third party affiliates.
Now, what if we told you that in order to get that game you'd end up receiving 1 commercial e-mail offer per week? Reasonable people might say that’s ok. What if we told you that, instead of 1 e-mail per week, it would be 1 e-mail per day? 2 per day? 10 per day? How about 20 e-mails per day? Is that game still worth it? SiteAdvisor strives to give you the facts to let you decide for yourself.
BullseyesGames (SiteAdvisor Analysis: BullseyesGames) describes itself as “one of the oldest online arcade gaming sites." Members can play games for free, submit high scores and rate games. Fair enough.
But in exchange for these games, BullseyesGames members could receive, on average, as many as 20 commercial e-mails per day. 142 per week. (At least, that's how much e-mail SiteAdvisor received when we signed up.) Now, do people say ‘yes’ to that? Bullseyes’ privacy policy is certainly easy to find and appears to be written for regular people as opposed to lawyers.
Our mission at BullseyesGames.com is to build users' trust and confidence in the Internet by promoting the use of fair information practices. Because this web site wants to demonstrate its commitment to your privacy.
That certainly sounds like a good start. From this intro, you’d think Bullseyes was a pretty good deal. But the next paragraph made our hair stand on end:
The personal information you provide BullseyesGames.com will allow us to alert you of new features, contests, prize fulfillment or special offers. BullseyesGames.com may also provide your personal information to other companies or organizations which offer products or services which may be of interest to you. In such cases, we will notify you that the information will be shared and provide you with an opportunity to opt-out and/or clicking a link that says "no thanks".
We think that paragraph raises more questions than it answers. For example, when will the user receive notification? When will he get the opt-out option? Can the site continue to give out the e-mail address in perpetuity? Is it the user's responsibility to keep track of which opt-outs are honored? How many "alerts" are we talking about anyway, and how many "other companies"? Those are questions I'd like answers to before I sign up. Here's hoping.
When SiteAdvisor looks at topics like commercial e-mail practices, we try to understand the economics behind the subject. And there’s a lot of economics behind e-mail address harvesting. Companies will pay $0.05 and more for a valid opt-in e-mail address. Generate enough e-mail addresses, and these nickels start adding up to real money.
The person who owns SweepAndVacFree.com (SiteAdvisor Analysis: SweepAndVacFree) seems to make money by subjecting visitors to a barrage of special offers, co-registrations, and surveys, all the while dangling the prospect of a free Swiffer at the end of this process. Each time a user submits his e-mail address to one of these offers, the site owner receives his “bounty."
In the Swiffer case, the user must flawlessly get through a minimum of 29 screens covering a massive 234 offers to get his free Swiffer, something that retails for $19.54 at Wal-Mart.com. As you can see, these are big brands being advertised. I saw offers from AOL, Nokia, Sprint, Gevalia, Ladies Home Journal, Disney and ADT during a recent visit I made.
Typically with sites like this, if a user fails to complete the process perfectly -- if he “breaks" the process in any way -- he doesn’t get the gift. But you can be pretty sure that the Web site keeps using his e-mail address.
Does the site disclose these practices? Sort of. This is an issue of “technical" disclosure which doesn’t really explain the full practical implications of what’s going to happen.
The site's privacy policy explains that the site “may use the personal information that you supply to us and work with other third party businesses to bring selected retail opportunities to our members." Read that, and you might think you'd get a few e-mails per week, or at most a couple per day. But it's far worse than that.
In our testing, signing up at SweepandVacFree resulted in a stunning 108 e-mails per week on average. Shouldn’t a user be told that? Shouldn’t “informed consent" be defined in such a way that the impact of a registration is quantified to the user in a way that's understandable? If, after being told that he will get 15 e-mails per day, a user still wants to go for the Swiffer, so be it. But in its current form, this site doesn't tell users the one fact they most need in order to assess the site's value.
A lot of expert Web and computer users fault consumers for failing to use their common sense. “Don’t go to sites you don’t know," is one typical bit of advice.
Uproar.com has been around since before the bubble burst. Alexa ranks them at 2,511. By any measure, this is a major Web property with significant traffic, a long Web life, and plenty of press coverage. Owned by Flipside, Uproar (SiteAdvisor Analysis: Uproar) offers on-line and downloadable games, contests and i-coins, Uproar's own online currency. Games are free for a short time. After a trial period, users must register to keep playing.
So how does Uproar make its money? It rents a lot of its real estate to advertisers, but it also runs its new members through a gauntlet of sign-ups. These are similar to the co-registrations we examined in the Swiffer example above.
Here’s SiteAdvisor’s post-sign up inbox:
119 e-mails per week. Now, look more closely at the rules and privacy policy:
Uproar.com never sends SPAM to your e-mail inbox. While we do send e-mails to our users, they are always permission-based emails, which means they require your consent. By sending you information about our most attractive offers we can offer Uproar.com's great games and prizes for FREE.
Uproar has been around for a while and it may seem safe. But I suspect that an extra 119 marketing e-mails per week -- whether they're "permission based" or just plain spam -- just isn't what most users are looking for.
Whatever you call commercial e-mail, whether it’s “solicited" or not, consumes time. (And if you're looking for a great laugh about e-mail nomenclature, watch, or re-watch, the Daily Show's profile of Scott Richter, a "high volume e-mail deployer.") Reading, deleting, unsubscribing, shouting at your inbox – it all takes time. In an ideal world, Web sites that ask for e-mail addresses would be required to disclose the volume, frequency and type of e-mail they or their partners would send. Barring that, the next best fantasy world would give each of us the time to read privacy policies and to sign up using disposable e-mail addresses. At a minimum, sites' policies should be written so that regular people can understand them.
But of course we don't live in that ideal world. So what SiteAdvisor has been doing since last spring is allowing ourselves to be spammed. We've tested these sites, and hundreds of thousands more, so you don’t have to find the hard way what will happen to your inbox when you entrust your e-mail to someone else.
As with our download tests, our e-mail material is available under Creative Commons License 2.5. We’d love to see e-mail researchers using this dataset in interesting ways. And please keep giving us feedback. It's super useful.
