[privacy policy - i think not...]

*Beware of other sites infiltrating your address book...sadly, Flixster is not the only one.* (See this article from two years ago!)


Is Flixster a Big Fat Spammer? Are They Accessing Your AOL or Hotmail Address Book? The Answer to at Least One of These is Yes!

Recently I started getting invitations to join Flixster from both friends and complete strangers. Obviously, this was spam, but why were these complete strangers sending it to me? (For that matter, why were these friends inviting me to join Flixstr, which is a social networking site geared towars movie reviews?)

Here’s what the typical spam invitation for Flixster looked like:
–
To: me@example.com
Subject: John D has sent you a private message

http://www.flixster.com/servlet/invite/619917699cmcA619918163Btlkhlp3Cm

John D

This note was sent via Flixster by John D (johndoe@hotmail.com) to me@example.com. If you prefer not to receive emails like this, tell us here: http://www.flixster.com/DoNotSend.jsp?e=me@example.com.
–
Then I noticed two curious things: 1. All the spam was coming from AOL and Hotmail accounts - real AOL and Hotmail accounts of real people, and 2. It was coming not just to me, but to role accounts at our organization - for example support@example.com. These people had really contacted us for support at one time or another, but a generic role account would hardly be a friend to whom you would send an invitation.

Then I got email from someone, a professional contact with an address at AOL, asking me (and everyone else in his address book) to please ignore the invitation to join Flixster which appeared to come from him but which, he said, had actually been sent by Flixster.

So, what is actually going on?

We decided to investigate, and here is what we found:

Once you join Flixster, Flixster commandeers your address book - your list of all of your personal contacts in your AOL (or Hotmail, Yahoo or Gmail) address book - and sends out an invitation to join Flixster “from” you. Oh sure, you enable them to do it - but clearly enough people are unaware of what they are doing that it’s causing a problem.

How?

Flixster is getting their AOL (and Hotmail, and Yahoo, and Gmail) passwords!

Read on.

Using AOL as an example, when you first sign up for Flixster using an AOL email address, after you select a username and password, the very next screen prompts you for your AOL password!

Here’s that screen - look how compelling it looks that you should give them your AOL password!:



If you use a Gmail address, you can get the same screen, only with the Gmail logo. Same for Hotmail and Yahoo.

Once you give them your password, they grab everyone’s email addresses from your AOL, Hotmail, Yahoo or Gmail address book, and spam them with the invitation. In your name using your email address.

And they access your AOL account before you ever get to the next step. Even though they make you feel as if you have complete control over the process by telling you “On the next page you will be able to select whom to invite”, they already have your contacts by that point. How do we know they access your account first? Watch what happens if you give them the wrong password:



How compelling does that look?

Now, who do we blame for all this? Flixster for asking for the password? The user for giving it to them? After all, the user had to take an affirmative action to send you the invitation spam. But, do they feel compelled to send it? Do they even understand what they are doing?

Do they feel that their ISP has approved this or even partnered with Flixster because Flixster has placed their ISP’s logo right next to the password prompt?

Is this phishing in plain sight?

For their part, Flixster is not only unrepentant about their tactics, but brag about them. An article in American Venture Magazine following Flixster’s getting $2million in VC funding last month, included the following:

“But the site has also grown due to its aggressive viral marketing practices that have raised the hackles of some potential users. Such practices might include the automated selection of your email account’s entire address book in order to send a Flixster invitation to all of your contacts. (Emphasis ours.)

But such practices are becoming increasingly more common as new and even established web sites look to attract visitors without expensive marketing campaigns and a hefty advertising budget.

“I attribute our success to a combination of both of those,” Greenstein said. “We make it easy to invite your friends. Other sites don’t provide good ways for people to spread the word. And, we tried to build a really compelling site.”

Flixster’s Terms of Service start out by saying: “I can’t believe you really clicked on this. What are you trying to find out? Here is our privacy policy (link to privacy policy).”

If you actually go on to read their Terms of Service, however, you’ll find that they mention nothing at all about this. Nothing. One way or the other. But they do, ironically, state that it is a violation of their Terms of Service to “Create a false or misleading identity of, including, but not limited to, a Flixster employee, or falsely state or otherwise misrepresent your affiliation with a person or entity, for the purpose of misleading others as to the identity of the sender or the origin of a message or to harvest or otherwise collect information about others.”

Oh, and it’s also a violation to “Disseminate any unsolicited or unauthorized advertising, promotional materials, ‘junk mail’, ’spam’, ‘chain letters’, ‘pyramid schemes’, or any other form of such solicitation, or to “Harvest or collect email addresses or other contact information of Members, including usernames, from the Flixster.com website by electronic or other means.”

But, it’s ok, because their entire TOS is governed by their privacy policy, which states very clearly:

“Our Just-Say-No-to-SPAM Policy

We do not send SPAM of any kind. The only email you will get from us is a weekly update of the latest movies and quiz questions and, of course, any personal messages sent directly to you by your friends.”

Me? I’ve now got a Just-Say-No-to-Flixster Policy.



NOTE the comment from one of Flixster's founders:

Hi Anne,

I am one of the founders of flixster. I happened upon your article via technorati.

As a social community on the web, we take issues of email privacy and permission very seriously. Obviously i am saddened by the way your article describes us. Let me clarify a couple things…

1. We do allow users to access common web-address books to select friends to invite. The whole point of flixster is sharing movie ratings with friends - so making it easy to invite people is very important for us. (This is also incredibly common practice around the web - see yelp/facebook/myspace and many others that also offer it. Plaxo actually offers a popular widget to allow any site to offer this feature).

2. We don’t do anything tricky or misleading. The invite friends screens are all clearly explained (visible even in your slightly fuzzy screenshots) and to actually send anything the user must click a button labelled “send invitations” on a screen with their friends names and a list of checkboxes.

2. We use the user’s credentials only to retrieve the contact list and then do not store them in any way. We absolutely don’t do anything malicious or affect their account in any way.

3. The user is then ALWAYS given the list of contacts and asked to select whom to invite. We do not invite anyone they do not select. Of course we want people to invite friends to come try our site - but it absolutely does not benefit us to send invites they didn’t intend and end up with angry users.

4. Once registered, users can control their settings on every single email we send - from weekly movie summaries to new friend requests. If you choose, you can receive no email from us at all.

5. We never sell, rent or buy email addresses from anyone. We are a small company. The intro to our terms of service was intended to be funny. In no way does it reflect us taking privacy issues lightly - which is exactly why we wrote our privacy policy in such clear terms.

Anyway, if you have any questions or want to discuss with me, drop me a note at the email above. i appreciate that your efforts are to help protect people from malicious or dangerous sites - a noble endeavor - i’m really sorry that you felt like our site fell into that category.

Sincerely,
Joe G