dynamoo.com home

 
Site navigation

home
blog
technical
diary
webmaster
orange book
moobiles
shop
contact
links
  
Updated
October 2005

   Dynamoo 2005

 

 

Plaxo and Bebo - Spam or Spyware?

17th May 2005
Revised 24th May 2005 & 8th October 2005

What are Plaxo and Bebo?

If you're an administrator of a corporate email system, or even if you're just an end user you may well have seen email messages such as this:

    I am updating my address book and it would be very helpful if you could click on the link below and enter your contact details for me:

    http://www.bebo.com/xxx/xxxxxxxxxxxxxxxxx

    I am using a service that keeps contact details current, just update your own contact details and then the changes appear in selected friends' address books. When I update my contact details you will see them in your address book.

or

    I'm updating my address book. Please take a moment to update your latest contact information. Your information is stored in my personal address book and will not be shared with anyone else. Plaxo is free, if you'd like to give it a try.

or

    Sorry to be a pain but I'm updating my address book. I would be pleased if you would take a moment to update me with your latest contact info.

Both these services involve a downloadable application for your PC connected to a web server back-end.

Plaxo has been around since 2002, and Bebo.com is a service of a company called Birthday Alarm LLC which was founded in 2001. Plaxo and Birthday alarm are two quite separate companies, but their products have many similarities.

Plaxo in particular is extremely assertive at protecting its reputation and appears to regularly trawl the web looking for sites critical of their application, or alternatively is very keen to address concerns of potential users in a transparent fashion. [Yes, they did contact us.. within a week of publishing this article - you can read Plaxo's response at the bottom of the page.]
 

Are Plaxo and Bebo Spyware?

Let's assume that you are reading this article because you are technically savvy - you are probably a webmaster, a corporate mail administrator or work in IT support. First of all, it depends what you mean by spyware - this is a term that is used a lot and it covers a variety of different applications. These applications have privacy implications that users may not be aware of at install time, although both sites spell these out clearly (Plaxo does so very clearly) - however most end users will not consider the privacy implications for these products (we cover this further on).

Neither application does anything malicious. They do not appear to record keystrokes, visited web sites, interefere with page rendering or collect information from your PC without your consent.

Sometimes spyware is also used to describe applications that have been installed without the user's consent. There is no evidence whatsoever that these applications use any underhand technique to install themselves on PCs. This means that if you find Plaxo or Bebo on a computer, then the user installed it themselves (despite whatever protests they may make that they haven't been installing unauthorised applications).

What is the business model? When evaluating free software this is the first question you should ask. Some software is deliberately made free (typically software released under the GPL licence such as Linux or Firefox). However, all commercial companies will require a return on their investment, and for many years it was unclear as to what Plaxo's business plan was. It was only in March 2005 that Plaxo introduced its "Premium Services" which are a paid-for upgrade to the free Plaxo service.. so it's clear that the free Plaxo application is a loss leader. Bebo.com and Birthday Alarm LLC have a different business model - the original "Birthday Alarm" service is a traffic generator for a fairly ad-heavy website, so it's quite possible that Birthday Alarm LLC will use Bebo as a traffic driver in the way they are doing so already.

Is this installed without the user's consent? There is no evidence that either Plaxo or Bebo.com are installed without the express consent of their users. In our experience, the users must explicitly download the software and agree to the licence agreement. However, you should note that in most corporations, users have no authority to make such an agreement.

Do the applications bombard users with advertising? There is no evidence that either application does this, nor is there any evidence that either application interferes with web browsers in any way.

Are there security implications? There is no evidence to show that the Plaxo or Bebo.com applications deliberately compromise security, however there is a risk with any internet-enable application and as a general rule you should never allow untested applications onto your corporate network.

Are there privacy implications? It appears that both Plaxo and Bebo store personally identifiable information on servers based in the United States. Under European Union law (and laws of some other countries) it is unlawful to export personal data used for business purposes to another country unless the subject has consented to this, or unless you are registered to do so. It is possible that in some countries this export of data would be unlawful and possibly make you liable to criminal proceedings. (You should be aware that Plaxo and Bebo are not unusual in this respect though). Note that other applications, including the Google Toolbar, have privacy implications that users may not be aware of.

Both Plaxo and Bebo have suitable statements regarding privacy protection though, and Plaxo seems very committed to protected privacy.

Are Plaxo and Bebo Messages Spam?

Many recipients of Plaxo and Bebo.com "update" messages are extremely annoyed by them, and the frequency that they come out. They can also send themselves indiscriminately to mailing and distribution lists. Because both applications will tend to email "update" messages to everyone in the user's contact list, then they do appear to be spammy. (You can Google for misdirected messages from both Plaxo and Bebo to see the evidence for yourself)

In fact, both Plaxo and Bebo can be regarded as products of "viral marketing". This isn't saying that either application is a virus, however it does mean that the applications leverage certain techniques to "get the word out". Part of this is automated, part of this is down to users making a deliberate choice to join the Plaxo or Bebo.com communities.

Many recipients will regard the messages as spam. Although both services send mail from their own servers (rather than you own), you can easily see that an unrestricted growth of either application in the corporate environment can cause ill-feeling towards your business. Note that Plaxo has stated publically that it is trying to deal with this problem and has some guidelines in place to try to prevent it.


Why You Should Not Allow These Applications

There's no doubt that both services offer some value, however in many businesses both Plaxo and Bebo are completely inappropriate. Some typical reasons for disallowing them are:

  • Untested Internet based applications generate a risk to corporate security.
  • You corporation probably already has contact management tools (for example, Public Folders in Microsoft Exchange) which may be under utilised.
  • Any untested application on a client PC can cause severe stability problems with other applications.
  • Excessive "update" messages may damage your relationship with customers and business partners.
  • Local laws may prohibit the transfer of personal data to a third party in this manner.
     

Blocking Plaxo and Bebo Messages

Plaxo are very up front about this and have even given guidance on how to block Plaxo messages in their corporate weblog. In the case of Plaxo, you can block all email messages coming from 66.151.150.148. We have to give Plaxo full marks for publishing this. UPDATE: as of September 2005, Plaxo's outbound messages appear to be coming from the range 66.151.128.0 to 66.151.128.31. You can safely block that entire range.

Bebo seems to send email messages from somewhere in the range 65.19.128.160 to 65.19.128.191. You can safely block this range, and that will have the added advantage of stopping messages from Birthday Alarm LLC's other services.

Stopping the mail messages in this way right now will reduce the risk of unauthorised take-up of these services by corporate users.

If you notice a new IP address, please contact us.
 

Summary

Plaxo in particular seems to be extremely committed to privacy and as we stated above has a policy of full disclosure on many matters. The application is useful for some, but in our view it is not appropriate for many corporate environments. Their business model is clear - it relies on "viral marketing" to drive subscribers to the free product to act as a loss-leader for Plaxo's paid for services.

Bebo seems to be pretty much in the same vein, except the business model is not so developed. We believe that Birthday Alarm LLC want to use Bebo to drive traffic to their web properties, so that they can earn money from on-site advertising. This is a fairly common business model on the internet. Again, you will probably find that you don't want to use Bebo in a corporate environment.

There is no evidence that either Plaxo or Bebo do anything deliberately malicious, and indeed individual users may find their services valuable. However, you should approach any application you download from the internet with caution and be aware of the implications of using it.


 

Plaxo's Response:

Thank you for your recent article regarding Plaxo.  To summarize some of the major points I believe were made:

  • Plaxo is extremely committed to privacy and addressing customer concerns in a transparent and open fashion.
  • Plaxo is not spyware and does not do anything malicious
  • Plaxo may be useful to some, though in Dynamoo's opinion may not be appropriate within corporate environments.

I believe Dynamoo has done a good job at articulating some valid concerns any system administrator or even end-user should consider before using any software package.  Proper testing and review should always be performed to ensure that any software package does not compromise the stability of the local system and/or the security of the network environment.  In Plaxo's case, Plaxo currently has over 5M members making Plaxo the most used and trusted self-updating online Address Book service on the Internet.    Each version of Plaxo is throughly tested prior to release to ensure the software maintains the proper quality for our growing installed base.

Many of our 5M members use Plaxo within their Enterprise work environments to help manage on a individual basis, both personal and business information.  People use Plaxo to help them better manage their contacts, calendar, tasks and notes information they maintain.   With Plaxo, members get:

  • Anywhere, anytime access to their important Contact, Calendar, Tasks, and Notes information through our web-based Plaxo Online.  This is extremely valuable to people away from the office who need that important number and only have access to a web-browser.
  • Automatic backup and quick restore capabilities.  This feature alone has been a tremendous life-saver for many users who have experienced a system crash, lost laptop, or other catastrophic PC failure.  Within seconds, they can quickly restore their critical contacts, calendar, tasks and notes information.
  • Multi-system synchronization.  This feature allows people to have one address book sycn'd across multiple systems so there is no duplication of effort and information.   For example, you can easily keep your work and home computer synchronized together.
  • Birthday/Holiday Reminder Service.  Members can use Plaxo to remind them of upcoming birthdays and to easily send the contact a friendly birthday greeting.  This is an easy way to add a personal touch to a business relationship.
  • Updating contacts with your latest contact information.  Members can chose to send selected contacts Update Request messages containing the member's latest contact information.  The recipient can use this information to easily update their own address books in order stay in touch with the Plaxo member.  Even for business users, this can be a valuable activity to keep customers and other business associates outside of the company updated.
  • Automatic Address Book Updates.  Members can also receive responses from contacts that include the contact's updated information.  These changes are automatically updated into the member's local address book.  The member doesn't have to worry about the manual effort normally involved in updating contact entries.  Again, a very useful benefit when staying in touch with important customers and contacts.
  • Self-updating address book.  When two contacts are both Plaxo members, they may connect with each other, allowing the other member's address book to be updated anytime the other updates their contact information.   People don't have to manually send out messages, or manually update their own address books.
  • Address Book Optimizer and Bounce Manager.  Members can use Plaxo to clean up duplicate entries in their address book, and identify those contacts without a valid e-mail address.  Business users can use this to clean up and update old distribution lists and remove the clutter they have collected over the years.
  • Mobile (WAP) Access to Calendar and Phone information.  Plaxo can be used to allow people on the go can stay connected to their Outlook address book and calendar information through WAP access to their synchronized Plaxo Online information.    Plaxo can even send you a meeting reminder message 15 minutes before a meeting is to start so you never miss an important meeting.

Despite these benefits though, I agree that Plaxo may not be appropriate for everyone or every environment.  But for those who wish to take advantage of some of the benefits I've mentioned, they can also be assured that their information is kept secure, private, and under their control.  Our privacy practices are summarized by our Plaxo Privacy Principles, which state:

  • Your Information is your own and you decide who will have access to it.
  • You maintain ownership rights to Your Information, even if there is a business transition or policy change.
  • You may add, delete, or modify Your Information at any time.
  • Plaxo will not update or modify Your Information without your permission.
  • Plaxo will not sell, exchange, or otherwise share Your Information with third parties, unless required by law or in accordance with your instructions.
  • Plaxo does not send spam, maintain spam mailing lists, or support the activities of spammers.

These principles can be found in our Plaxo Privacy Policy which is our public statement of our privacy practices. It is there to allow people to judge our actions against our words and decide for themselves. 

Thank you again for your article and the opportunity to comment.  Should people have any questions regarding the Plaxo service, they can feel free to contact me directly.

Thank you,


Stacy Martin
Plaxo Privacy Officer
privacy @t plaxo.com

 

 Subj: Shopping and Services

 

 home   technical   diary   webmaster stuff   orange book   shop   contact   links   your privacy