Plaxo and Bebo - Spam or Spyware?
17th May 2005 Revised 24th May 2005 & 8th
October 2005
What are Plaxo and Bebo?
If you're an administrator of a corporate email system,
or even if you're just an end user you may well have
seen email messages such as this:
I am updating my address book and it would be very
helpful if you could click on the link below and enter
your contact details for me:
http://www.bebo.com/xxx/xxxxxxxxxxxxxxxxx
I am using a service that keeps contact details current,
just update your own contact details and then the changes
appear in selected friends' address books. When I update
my contact details you will see them in your address
book.
or
I'm updating my address book. Please take
a moment to update your latest contact information.
Your information is stored in my personal address
book and will not be shared with anyone else. Plaxo
is free, if you'd like to give it a try.
or
Sorry to be a pain but I'm updating my address book. I would be pleased if you would take a moment to update me with your latest contact info.
Both these services involve a downloadable application
for your PC connected to a web server back-end.
Plaxo has been around since 2002, and Bebo.com is
a service of a company called Birthday Alarm LLC which
was founded in 2001. Plaxo and Birthday alarm are two
quite separate companies, but their products have many
similarities.
Plaxo in particular is extremely assertive at protecting
its reputation and appears to regularly trawl the web
looking for sites critical of their application, or
alternatively is very keen to address concerns of potential
users in a transparent fashion. [Yes, they did contact
us.. within a week of publishing this article - you
can read Plaxo's response at the bottom
of the page.]
Are Plaxo and Bebo Spyware?
Let's assume that you are reading this article because
you are technically savvy - you are probably a webmaster, a
corporate mail administrator or work in IT support.
First of all, it depends what you mean by spyware
- this is a term that is used a lot and it covers a
variety of different applications. These applications
have privacy implications that users may not
be aware of at install time, although both sites spell
these out clearly (Plaxo does so very clearly) - however
most end users will not consider the privacy implications
for these products (we cover this further on).
Neither application does anything malicious. They
do not appear to record keystrokes, visited web sites,
interefere with page rendering or collect information
from your PC without your consent.
Sometimes spyware is also used to describe
applications that have been installed without the user's
consent. There is no evidence whatsoever that these
applications use any underhand technique to install
themselves on PCs. This means that if you find Plaxo
or Bebo on a computer, then the user installed it themselves
(despite whatever protests they may make that they haven't
been installing unauthorised applications).
What is the business model? When evaluating
free software this is the first question you
should ask. Some software is deliberately made free
(typically software released under the GPL licence such
as Linux or Firefox). However, all commercial companies
will require a return on their investment, and for many
years it was unclear as to what Plaxo's business plan
was. It was only in March 2005 that Plaxo introduced
its "Premium Services" which are a paid-for
upgrade to the free Plaxo service.. so it's clear that
the free Plaxo application is a loss leader. Bebo.com
and Birthday Alarm LLC have a different business model
- the original "Birthday Alarm" service is
a traffic generator for a fairly ad-heavy website, so
it's quite possible that Birthday Alarm LLC will use
Bebo as a traffic driver in the way they are doing so
already.
Is this installed without the user's consent?
There is no evidence that either Plaxo or Bebo.com are
installed without the express consent of their users.
In our experience, the users must explicitly download
the software and agree to the licence agreement. However,
you should note that in most corporations, users have
no authority to make such an agreement.
Do the applications bombard users with advertising?
There is no evidence that either application does
this, nor is there any evidence that either application
interferes with web browsers in any way.
Are there security implications? There is
no evidence to show that the Plaxo or Bebo.com applications
deliberately compromise security, however there is a
risk with any internet-enable application and as a general
rule you should never allow untested applications onto
your corporate network.
Are there privacy implications? It appears
that both Plaxo and Bebo store personally identifiable
information on servers based in the United States. Under
European Union law (and laws of some other countries)
it is unlawful to export personal data used for business
purposes to another country
unless the subject has consented to this, or unless
you are registered to do so. It is possible that
in some countries this export of data would be unlawful
and possibly make you liable to criminal proceedings.
(You should be aware that Plaxo and Bebo are not unusual
in this respect though). Note that other applications,
including the Google Toolbar, have privacy implications
that users may not be aware of.
Both Plaxo and Bebo have suitable statements regarding
privacy protection though, and Plaxo seems very committed
to protected privacy.
Are Plaxo and Bebo Messages Spam?
Many recipients of Plaxo and Bebo.com "update"
messages are extremely annoyed by them, and the frequency
that they come out. They can also send themselves indiscriminately
to mailing and distribution lists. Because both applications
will tend to email "update" messages to everyone
in the user's contact list, then they do appear to be
spammy. (You can Google for misdirected messages from
both Plaxo
and Bebo
to see the evidence for yourself)
In fact, both Plaxo and Bebo can be regarded as products
of "viral marketing". This isn't saying that
either application is a virus, however it does mean
that the applications leverage certain techniques to
"get the word out". Part of this is automated,
part of this is down to users making a deliberate choice
to join the Plaxo or Bebo.com communities.
Many recipients will regard the messages as spam.
Although both services send mail from their own servers
(rather than you own), you can easily see that an unrestricted
growth of either application in the corporate environment
can cause ill-feeling towards your business. Note that
Plaxo has stated publically that it is trying to deal
with this problem and has some guidelines in place to
try to prevent it.
Why You Should Not Allow These Applications
There's no doubt that both services offer some value,
however in many businesses both Plaxo and Bebo are completely
inappropriate. Some typical reasons for disallowing
them are:
- Untested Internet based applications generate
a risk to corporate security.
- You corporation probably already has contact
management tools (for example, Public Folders in
Microsoft Exchange) which may be under utilised.
- Any untested application on a client PC can
cause severe stability problems with other applications.
- Excessive "update" messages may damage
your relationship with customers and business partners.
- Local laws may prohibit the transfer of personal
data to a third party in this manner.
Blocking Plaxo and Bebo Messages
Plaxo are very up front about this and have even
given guidance on how to block Plaxo messages in their
corporate
weblog. In the case of Plaxo, you can block all
email messages coming from 66.151.150.148. We
have to give Plaxo full marks for publishing this. UPDATE:
as of September 2005, Plaxo's outbound messages appear
to be coming from the range 66.151.128.0 to 66.151.128.31.
You can safely block that entire range.
Bebo seems to send email messages from somewhere
in the range 65.19.128.160 to 65.19.128.191.
You can safely block this range, and that will have
the added advantage of stopping messages from Birthday
Alarm LLC's other services.
Stopping the mail messages in this way right now
will reduce the risk of unauthorised take-up of
these services by corporate users.
If you notice a new IP address, please contact
us.
Summary
Plaxo in particular seems to be extremely committed
to privacy and as we stated above has a policy of full
disclosure on many matters. The application is useful
for some, but in our view it is not appropriate for
many corporate environments. Their business model is
clear - it relies on "viral marketing" to
drive subscribers to the free product to act as a loss-leader
for Plaxo's paid for services.
Bebo seems to be pretty much in the same vein, except
the business model is not so developed. We believe that
Birthday Alarm LLC want to use Bebo to drive traffic
to their web properties, so that they can earn money
from on-site advertising. This is a fairly common business
model on the internet. Again, you will probably find
that you don't want to use Bebo in a corporate environment.
There is no evidence that either Plaxo or Bebo do
anything deliberately malicious, and indeed individual
users may find their services valuable. However, you
should approach any application you download from the
internet with caution and be aware of the implications
of using it.
Plaxo's Response:
Thank you for your recent article regarding Plaxo. To summarize some of the major points I believe were made:
- Plaxo is extremely committed to privacy and addressing customer concerns in a transparent and open fashion.
- Plaxo is not spyware and does not do anything malicious
- Plaxo may be useful to some, though in Dynamoo's opinion may not be appropriate within corporate environments.
I believe Dynamoo has done a good job at articulating some valid concerns any system administrator or even end-user should consider before using any software package. Proper testing and review should always be performed to ensure that any software package does not compromise the stability of the local system and/or the security of the network environment. In Plaxo's case, Plaxo currently has over 5M members making Plaxo the most used and trusted self-updating online Address Book service on the Internet. Each version of Plaxo is throughly tested prior to release to ensure the software maintains the proper quality for our growing installed base.
Many of our 5M members use Plaxo within their Enterprise work environments to help manage on a individual basis, both personal and business information. People use Plaxo to help them better manage their contacts, calendar, tasks and notes information they maintain. With Plaxo, members get:
- Anywhere, anytime access to their important Contact, Calendar, Tasks, and Notes information through our web-based Plaxo Online. This is extremely valuable to people away from the office who need that important number and only have access to a web-browser.
- Automatic backup and quick restore capabilities. This feature alone has been a tremendous life-saver for many users who have experienced a system crash, lost laptop, or other catastrophic PC failure. Within seconds, they can quickly restore their critical contacts, calendar, tasks and notes information.
- Multi-system synchronization. This feature allows people to have one address book sycn'd across multiple systems so there is no duplication of effort and information. For example, you can easily keep your work and home computer synchronized together.
- Birthday/Holiday Reminder Service. Members can use Plaxo to remind them of upcoming birthdays and to easily send the contact a friendly birthday greeting. This is an easy way to add a personal touch to a business relationship.
- Updating contacts with your latest contact information. Members can chose to send selected contacts Update Request messages containing the member's latest contact information. The recipient can use this information to easily update their own address books in order stay in touch with the Plaxo member. Even for business users, this can be a valuable activity to keep customers and other business associates outside of the company updated.
- Automatic Address Book Updates. Members can also receive responses from contacts that include the contact's updated information. These changes are automatically updated into the member's local address book. The member doesn't have to worry about the manual effort normally involved in updating contact entries. Again, a very useful benefit when staying in touch with important customers and contacts.
- Self-updating address book. When two contacts are both Plaxo members, they may connect with each other, allowing the other member's address book to be updated anytime the other updates their contact information. People don't have to manually send out messages, or manually update their own address books.
- Address Book Optimizer and Bounce Manager. Members can use Plaxo to clean up duplicate entries in their address book, and identify those contacts without a valid e-mail address. Business users can use this to clean up and update old distribution lists and remove the clutter they have collected over the years.
- Mobile (WAP) Access to Calendar and Phone information. Plaxo can be used to allow people on the go can stay connected to their Outlook address book and calendar information through WAP access to their synchronized Plaxo Online information. Plaxo can even send you a meeting reminder message 15 minutes before a meeting is to start so you never miss an important meeting.
Despite these benefits though, I agree that Plaxo may not be appropriate for everyone or every environment. But for those who wish to take advantage of some of the benefits I've mentioned, they can also be assured that their information is kept secure, private, and under their control. Our privacy practices are summarized by our Plaxo Privacy Principles, which state:
- Your Information is your own and you decide who will have access to it.
- You maintain ownership rights to Your Information, even if there is a business transition or policy change.
- You may add, delete, or modify Your Information at any time.
- Plaxo will not update or modify Your Information without your permission.
- Plaxo will not sell, exchange, or otherwise share Your Information with third parties, unless required by law or in accordance with your instructions.
- Plaxo does not send spam, maintain spam mailing lists, or support the activities of spammers.
These principles can be found in our Plaxo Privacy Policy which is our public statement of our privacy practices. It is there to allow people to judge our actions against our words and decide for themselves.
Thank you again for your article and the opportunity to comment. Should people have any questions regarding the Plaxo service, they can feel free to contact me directly.
Thank you,
Stacy Martin
Plaxo Privacy Officer
privacy @t plaxo.com
|