Recently I started getting invitations to join Flixster from both friends and complete strangers. Obviously, this was spam, but why were these complete strangers sending it to me? (For that matter, why were these friends inviting me to join Flixstr, which is a social networking site geared towars movie reviews?)
Here’s what the typical spam invitation for Flixster looked like:
—
To: me@example.com
Subject: John D has sent you a private message
John D
The Internet Patrol is completely free, and we don't subject you to ads or annoying video pop-ups. But it does cost us out of our pocket to keep the site going (going on 20 years now!) So your tips via CashApp, Venmo, or Paypal are VERY appreciated! Receipts will come from ISIPP.
This note was sent via Flixster by John D (johndoe@hotmail.com) to me@example.com. If you prefer not to receive emails like this, tell us here: .
—
Then I noticed two curious things: 1. All the spam was coming from AOL and Hotmail accounts – real AOL and Hotmail accounts of real people, and 2. It was coming not just to me, but to role accounts at our organization – for example support@example.com. These people had really contacted us for support at one time or another, but a generic role account would hardly be a friend to whom you would send an invitation.
Then I got email from someone, a professional contact with an address at AOL, asking me (and everyone else in his address book) to please ignore the invitation to join Flixster which appeared to come from him but which, he said, had actually been sent by Flixster.
So, what is actually going on?
We decided to investigate, and here is what we found:
Once you join Flixster, Flixster commandeers your address book – your list of all of your personal contacts in your AOL (or Hotmail, Yahoo or Gmail) address book – and sends out an invitation to join Flixster “from” you. Oh sure, you enable them to do it – but clearly enough people are unaware of what they are doing that it’s causing a problem.
How?
Flixster is getting their AOL (and Hotmail, and Yahoo, and Gmail) passwords!
Read on.
Using AOL as an example, when you first sign up for Flixster using an AOL email address, after you select a username and password, the very next screen prompts you for your AOL password!
Here’s that screen – look how compelling it looks that you should give them your AOL password!:
If you use a Gmail address, you can get the same screen, only with the Gmail logo. Same for Hotmail and Yahoo.
Once you give them your password, they grab everyone’s email addresses from your AOL, Hotmail, Yahoo or Gmail address book, and spam them with the invitation. In your name using your email address.
And they access your AOL account before you ever get to the next step. Even though they make you feel as if you have complete control over the process by telling you “On the next page you will be able to select whom to invite”, they already have your contacts by that point. How do we know they access your account first? Watch what happens if you give them the wrong password:
How compelling does that look?
Now, who do we blame for all this? Flixster for asking for the password? The user for giving it to them? After all, the user had to take an affirmative action to send you the invitation spam. But, do they feel compelled to send it? Do they even understand what they are doing?
Do they feel that their ISP has approved this or even partnered with Flixster because Flixster has placed their ISP’s logo right next to the password prompt?
Is this phishing in plain sight?
For their part, Flixster is not only unrepentant about their tactics, but brag about them. An article in American Venture Magazine following Flixster’s getting $2million in VC funding last month, included the following:
“But the site has also grown due to its aggressive viral marketing practices that have raised the hackles of some potential users. Such practices might include the automated selection of your email account’s entire address book in order to send a Flixster invitation to all of your contacts. (Emphasis ours.)
But such practices are becoming increasingly more common as new and even established web sites look to attract visitors without expensive marketing campaigns and a hefty advertising budget.
“I attribute our success to a combination of both of those,” Greenstein said. “We make it easy to invite your friends. Other sites don’t provide good ways for people to spread the word. And, we tried to build a really compelling site.”
Flixster’s Terms of Service start out by saying: “I can’t believe you really clicked on this. What are you trying to find out? Here is our privacy policy (link to privacy policy).”
If you actually go on to read their Terms of Service, however, you’ll find that they mention nothing at all about this. Nothing. One way or the other. But they do, ironically, state that it is a violation of their Terms of Service to “Create a false or misleading identity of, including, but not limited to, a Flixster employee, or falsely state or otherwise misrepresent your affiliation with a person or entity, for the purpose of misleading others as to the identity of the sender or the origin of a message or to harvest or otherwise collect information about others.”
Oh, and it’s also a violation to “Disseminate any unsolicited or unauthorized advertising, promotional materials, ‘junk mail’, ‘spam’, ‘chain letters’, ‘pyramid schemes’, or any other form of such solicitation, or to “Harvest or collect email addresses or other contact information of Members, including usernames, from the Flixster.com website by electronic or other means.”
But, it’s ok, because their entire TOS is governed by their privacy policy, which states very clearly:
“Our Just-Say-No-to-SPAM Policy
We do not send SPAM of any kind. The only email you will get from us is a weekly update of the latest movies and quiz questions and, of course, any personal messages sent directly to you by your friends.”
Me? I’ve now got a Just-Say-No-to-Flixster Policy.
The Internet Patrol is completely free, and we don't subject you to ads or annoying video pop-ups. But it does cost us out of our pocket to keep the site going (going on 20 years now!) So your tips via CashApp, Venmo, or Paypal are appreciated!
Receipts will come from ISIPP.
Very interesting article. There was some more news recently that mentioned Flixster — it was in a Wall Street Journal article, that was summarized at http://technews.acm.org/archives.cfm?fo=2011-08-aug/aug-19-2011.html#537049 . ((There is also a link from there to “View Full Article”… but that one says, <>. So I have not actually read the WSJ article [yet]; but I have read the summary at ACM TechNews. Also, reading the comments here, has given me some insight into the company Flixster, and how much care [“if any”] they put in to making sure that each and every “invitation” message sent, is really authorized and “OKd” explicitly by the person who is the purported “SENDER” of the “invitation” (OR “reminder”!) message. . . . . . . . Give me a break! I think perhaps one of the reasons why Flixster does certain things, that another co. would not do, is that given the current state of their reputation, in the minds of knowledgeable people (like the writers at the Wall Street Journal), I don’t think there is much room, for their “level of respect” to get much lower. … . . . Just my 0.02. YMMV … C U !
How do i get out of flixster, i want discontinue my account, i cannot even remember ever joining them.
Hey Mr Flixter – Joe, stop spamming people that use the internet legitimately and dont need your fake emails
Hahaha! I agree with Trent. You people are idiots.
READ WTF YOU’RE DOING!
Why in the hell would you give away your user/pass from *OTHER* sites to some new random site you’ve decided to sign up for?
Phish phish phish hook!!!!
You know what. I might make a virus and email it to them, lol.
Oh, let me say this again:
READ THE INSTRUCTIONS ON YOUR SCREEN!
I was reading through the comments from earlier. If someone’s reputation can be tarnished by sending an e-mail to join a website, then that must not be a very strong reputation …..
There’s a very simple solution: Just skip the step. Yeah, this is a bit of a sneaky practice, but as the user you’re given EVERY opportunity not to do it! So, if part of the blame lies with Flixster, a bigger amount lies with lazy users who aren’t actually looking at what’s on their screen, just blindly entering their password when asked for it and clicking “next.”
It would be GREAT if Flixster stopped doing this. It would be EVEN BETTER if people would just pause to read the instructions on their screens.
everyone should contact the FCC, FTC and the BBB regarding these a-holes
There is a very simple solution to all of this even if you’re paranoid about this… just change your password often.
My advice is to get whatever benefit you can out of the service and then protect yourself by changing your password – simple enough then move on to bigger and better things.
About missing emails well I can really help with that part other then to say what I’d do.
For me if I made the mistake of sending out unintended invite emails, I’d consider that a good learning experience one that I would make sure I learned well so I wouldn’t make the same mistake again.
I’d still likely use this type of service in the future the reason being that I don’t live my life out of fear and never stick my head in the sand. I’d just make sure to read and observe what’s happening around me and if all else fails I’d use a secondary email account.
I hope this was helpful.
BTW, I even state the change password advice on my website.
I have a casual and informal email account and a one mainly used for business. one of my friends must have been tricked by flixter and it appeared she had left a message for me on flixter from my business email. I therefore signed up to see what she had said but once I saw the page that prompted me to invite people i closed the window immediately as it would be highly inappropiate to send this kind of invitation to business contacts. Today i have out that the invitations have been sent to EVERYONE on my business contact list. I was horrified and cancelled my account immediately. I am also highly embarassed and am sure this will cast an unsavory taste in my business relationships and make me look highly unprofessional. i am not angry at my friend as she had been tricked in the same way but at this unscrupuolous and corrupt company.
Joe. How can you be so stupid as a founder of a comapny to assume that everyone in your contact list is ‘a friend’. You can’t and you and your company knows this. You and your corrupt company have tarnished my professional image and I will have alot of work to do to restore it. I will be ensuring that at every cost everyone I know immediately cancels their accounts and am determined to spread the word about your underhand business tactics. You should be ashamed of yourself, but I doubt you are.
My wife just received one of our photos that was posted in facebook of her daughter and I. I find this quite disturbing since the email stated “Is this a profile of you” and if I clicked ‘yes’, then it would’add’ it to their collection. I’m not to fond of spreading pictures of my family all over the internet and promptly unsubscribed from their list. I don’t know how they got my facebook information, but I will be more cautious in the future. Btw, stay away from these guys.
I’m sorry, but I don’t see that this is a problem; its perfectly stated, even at the top it has a caveat in brackets; its all overblown nonsense from luddites
is there ANY way to stop flixer to spam your contacts after u have made mistake and give them ur aadress book? I had like thousands of contacts and they are emailing them all , all the time. My costumers, blogs, google groups etc…. its disaster…
hey boo
flixster, all i have to say is; fuck you.
Mmm… i visited my mailbox over ~2months and had Schityloads of this kinda “quiz” mails from good friends. I added there local mail adress and wrong passw, but still it’s quite irritating. I don’t know much about “e-rules”, but it seems to be quite illegal. Can’t it be eliminated for “stealing”?
What I want to know is – how do I stop Flixter sending me stuff, when they have stolen my i-d from someone else’s address book?
This scam uses software made by sigmavisual.com; go to their Web site to see the other sites that use this pestilential prouct and avoid them, too.
PLEASE BE ALERT…WHEN I GOT A QUIZ FROM A FRIEND..AS YOU ANSWER THE FIRST QUESTION, IT TAKES YOU TO FLIXSTER WEB SITE AND GETS YOU INVOLVED TO SEE THE COLOR BLINDNESS QUIZ..IF YOU HAVE TO SEE YOUR ANSWER..THEN IT FORCES YOU TO LOGIN, THEN IT IMPORTED 300+ OF MY CONTACTS FROM THE YAHOO ADDRESS BOOK…CLEVER ME…UNSELECTED EACH AND EVERYONE EXCEPT ONE..BUT GUESS WHAT CRAP HAPPENED…IT SENT THE QUIZ TO EVERYONE OF MY CONTACTS SINCE I AM GETTING EMAILS SAYING YOUR FRIEND LOVES YOU AWWWWWWWWW…WHAT A SICK WAY TO MAKE YOUR WEBSITE GROW..ULTERIOR MOTIVE IS FOR THE FOUNDERS TO MAKE THIS POPULAR …BEG SOME GIANT TO BUY THEM AND ONCE THE ACQUISITION HAPPENS..THESE FOUNDERS WILL HAVE MULTI MILLION DOLLARS IN THE BANK ACCOUNT BY CHEATING THE PUBLIC ACQUIRING ALL THEIR CONTACTS IN ADDRESS BOOK AND INVADING THEIR PRIVACY…WE SHOULD ALL SUE THIS COMPANY FOR INVADING PRIVACY, MAKE A COMPLAINT IN BBB AND MAKE SURE THEY DON’T GROW LIKE A WEED……….
FLIXSTER TALKS ABOUT OPEN SOCIAL
CHECK THE YOU TUBE LINK FOR THE FOUNDERS TALK….
THEY ARE FOCUSING ON GROWTH AS PER JOE BUT YOU DON’T GROW BY INVADING PEOPLE PRIVACY AND STEALING ADDRESS BOOKS……
Hey Miroslav,
sharon f just posted a new talk message to your profile.
—
I didn’t give them my mail but I think that I registered.
Flixster is shit. I didn’t fall on their tricks because yahoo states that only from two pages they always ask for your ID. And this was not the one.
Hello Dear Friend.
i m Ihsan 26 Years old m from Pak but now i live In Sharjah UAE.
i have job here in UAE.
I need a good friend?
Can you make me your friend.
if you like please mail me
(ullahihsanwhp@yahoo.com
Basically, this is another example of people need to pay attention, I did sign up at what appeared to be my sister-in-laws double request, but i bypassed the screens asking for my passwords to existing accounts. when i logged in I saw she had no info filled out and had apparently not even set up an account. Overall I think flixster is a shady company sending out spamming emails in a most disgusting violation of a users trust and acts just like any other phishing website and should be shutdown.
So your defiantly right , and you could try a law suit on them, but I say just let it go and let them learn from it… I personally look anything up and do background checks on anything before I join it, So you should do the same thing… Besides this Flixster shit sounds pretty lame anyway, it would be one thing if they actually let you watch the movies but instead your stuck with just that quiz stuff and etc…
I have been using Flixster for some time now and I think there’s really some problems with it.
Ok first of all, I’m not as smart as you guys, just by looking at your article already made me dizzy >.>
Anyway, the first thing that really made me think was that Flixster wants my MSN password, I was really surprised they’d ask for such thing. But then 2 of my friends had been using Flixster (if it weren’t becuz of the invitation they sent me, I’d have no idea, EVEN NOW) so I thought if they think it’s safe, it should be, so I gave it out (kinda stupid now I think about it)
Then a few weeks passed, in that time I got nothing but sometime random quizzes from Flixster, then just recently, I started getting a lot of junk mail, I was wondering if it was because of Flixster, because for the last 3 years I haven’t received a single junk mail til I joined Flixster…Can this really be the work for Flixster? or is it simply some events happening at this time?
Anyway, reading from the above comment, I better cancel the account and change the password now…= =
Flixster has taken over my contacts and has been mailing everyone including my employers and professors. This is a disaster. Not only have you made me look completely unprofessional, but you hide behind some B.S. semantics to cover the fact that you are a just a bunch of greasy hacks who will do anything including, but not limited to: Using an individual’s name to promote your site, harassing all of their contacts to the point of the individual being junked, and pushing an otherwise mediocre site into notoriety for it’s depths of depravity.
Why don’t you tell us how to have Flixster stop sending emails on our behalf?
I was furious when I wrote the last time. So I might have accused some of you for things that I should not have. I apologize for that. But nevertheless I still wonder how I got on that lady’s list of friends. But as a rule of thumb, never give out passwords at any time, no matter how trustworthy the site seems to be.
ps: I am not an employee of flixster. I’m not old enough to work!
That is not a true statement. I am a member of flixster, and its a nice site dedicated to movies. Nobody spams on there.
I think I may have found out about a new way of recruiting members. I received early this morning (CET) three mails from the same person. All the same inviting me to Flixster. But the thing is. I do not know this person. It’s not a friend I know of. So maybe they have changed their somewhat questionable ways and are now buying addresses to send to. And a mental note; I have this suspicion that the users praising Flixster are just employees of the company. But I’m wondering how I got on that lady’s list of contacts.
I have never signed up for a Flixter account, but today received several emails from people on my contacts saying they had received Flixter invitation emails from my hotmail account.
Hmm.
My Msn… I get TWO emails from the Flixster from the SAME person, on two of my accounts, where the sender is on my contact list.
I was VERY skeptical about the emails, since I had TWO of them, on two accounts. I opened them, but I refused to click on the link.
I think I’ve done good!
I prefer disposable mail addresses, and I assume that ‘Flixster’ doesn’t have such an option?
As an ISP action taken by web providers to solicit user account names and passwords is viewed as an attempt by such providers to access information which is the property of the ISP. Yes the property of the ISP. User information stored on our systems is the property of the ISP and not the user of the system. Access to the systems is authorized to the user of the system alone and not an outside entity spoofing the users’ credentials to access the system. As such these sites are NOT recommended to users. As a precaution users of our systems are advised NOT to store e-mail addresses within their webmail. Access by a specific IP address to several different user accounts would be viewed as a security breach. The offending IP address would be searched and charges are laid against the owner as per our rights of access and terms of service. Activity of this type is identified and blocked by our firewall systems, access to the site is blocked via keyword and url blocking and mail transport is blocked by our servers. Customers who feel that our expertise in blocking access to dangerous Internet based activity are advised of the dangers involved however, our blocking does not get removed.
While Internet access should be free and clear so are the rights of users in a free society to make their own decisions. Courts however step in to deny rights of access to protect the greater good of society and individuals who DO NOT comprehend or understand the far reaching consequences of their actions. As an ISP we feel the responsibility to protect those who do not care or comprehend such activities. Right or wrong sometimes people need protection from themselves. The only way to create a generation of responsible, safe Internet users is through education and sometimes education needs to be definitive and harsh.
While many ISP’s take a role of distance from rights and responsibilities there are many who do not. Users are often untrained and as such more ISP’s are taking a role of protecting their customers from dangerous activities perpetrated by developers and providers of other services.
Service provider such as free e-mail services are NOT ISP’s (Internet Service Providers) they are ASP’s (Application Service Providers)
There is virtually no need for such free e-mail services. ISP’s provide e-mail accounts for their users, and many ISP’s, educational, medical and government services do not permit inbound e-mail from such free providers. Free e-mail providers offer accounts without due diligence as to the actual identity of the account holder. I.E. I could be elvis@hotmail. These types of e-mail accounts offer no identifying attributes as to the actual person sending mail. Do you open snail mail sent to you, answer calls from those you do not know with call display, contact a government service by punching in any random phone number? No If someone has something to hide, does not want to identify who they are ( Hi I am Bob Green and I have $10,000,000.00 dollars to give you, please respond to ali.bobba@hotmail – mmmmm ok) why would you even bother to give them the time of day.
There is a spam law in effect which states that applications MUST clearly notify the consumer that during the install of an application it must be stated that the application will be installing additional software which is can be used to collect information etc. Under this same principle web providers should be responsible to clearly notify the consumer that by entering this information they will be accessing YOUR account with YOUR credentials, accessing YOUR address book to collect e-mail addresses and what if any storage of these addresses will exist. Failure to do so constitutes an infraction of an individuals consumer right and right to Fair Trade and could be similar to accessing a person credit history in order for them to by bread from the corner store.
In short the actions of any such website to play upon the naivety of a consumer to facilitate the exposing of user accounts, passwords and address lists is poor and shady business practices. Had this been a physical store down the street or across the country consumer and corporate affairs would be involved.
Users are responsible for their accounts and passwords and the security of such accounts and passwords. In the real world users just sometimes do not know when they are being taken advantage of and it is at that time the ISP should, with their knowledge, intervene and stop such activities.
Web providers such as this, if attempting to operate an above board, legit and righteous business should refrain from such activities or find themselves placed within the category of snake oil salesman.
To be honest, I don’t think Flixster is a ‘big fat spammer’, or is accessing your e – mail accounts. I have been using Flixster for about 9 months now, after being invited by a friend of mine, and I love it! It’s great place to talk about movies and things like that. And yes, you’re probably thinking ‘there are so many innocent people being taken advantage of on Flixster’. Yeah, perhaps there are. But you can only join Flixster if you are 13 or above, and people of these ages should know not to trust anyone but your real ‘I have met them in real life’ friends. Flixster has a system where you can report anyone you are suspicious of as well. You can make your profile private, and when you think about it, Flixster is just like My Space or Bebo, so there, enough said.
These article on FLIXTER are true mywife has been bombarded by sick people jioning that web site and they now know her name where we live and have contacted this is a nightmare only by snooping to i finally convience her of the dangers of this web site when i IM one of the men who she added as a friend he wanted sexy picture and invited her to veiw his web camera which when i did he was exposing himself this is a very very dangerous site and i have all the emails to prove and contact names i only wish i could confront these sick men taking advantage of innocent poeple who just want to rate movies but its now to dangerous. Ladies for god sake dont trust anyone out there but your family. GOD BLESS TO ALL
I got the message form flixster two days ago that a friend had left a message for me, then i got another one today.
It does bother me alot like most of you that they ask for my password for my e-mail account right away, but what bother me more is that they kinda make it look like there is no other option to add friends….i think they said something like “you dont have to add friends, but dont blame us if you get lonly and bored” what the hell i that ?!! I started to look at ways to invit this friend of mine that had sent me the message but everytime i went to “my friend” and click “invite” i got the same qustion about my e-mail password, and then the friendly message “dont blame us if you get only and bored” after a wile i went into the “Meet ppl” window and there i found the option to look for friend after there name.
So to recap, i think the worst part is that they make you belive the only option to add friends is to give them your password…i mean come on how can you not take a line like “dont blame us if you get bored and lonly” as another way of saying if you dont give us your password then you wont have any friends in here=no other way to add friends. Any way i sent a e-mail to all my friends reminding them of basic online security “never ever ever give your password to 3 party”
Hello everybody. I found flixster suspicious since the first day and today I did my research and then saw this page. I canceled my flixster account today cause I see two of my friends joining and I didn’t invited them. First thing I saw rare when I joined is that your flixster url is the same as your mail account and I didn’t like it but I did continued with the account but now no more. I will send emails to my friends telling that they have to cancel the flixster account and change mail passwords. Flixster sucks!
I think this may be happening from third party sites to flixster as well. I had never heard of this site, and am not too sure of ever entering my e amil password into any site either. Yet people I know are receiving e mails from this site. not good at all.
Okay, most of this makes sense until I consider my problem with Flixster. My son is 7 and has an email account. We have given the email address to 3 people, none of which have a flixster account, and none of which are referenced in the emails that he’s getting.
There’s something shadier going on here.
Tim
By the way, if you go to Flixster and click on “Contact Us,” in the lsit of question types they give you two options: one, to cancel your membership, and two, to prevent flixster from sending you more invitations to join. I promptly clicked on both. To give credit where its due, good job to Flixster for making that easy.
I got a Flixster invitation from a new co-worker, and not wanting to be impolite, I went through the sign up process. I even gave my email account password, not to my main email account, but for a hotmail account that I just give out to places that are likely to spam me. Since then I have repeatedly received messages from my computer that say “An application is attempting to access your Outlook contacts list. If you were not expecting this it may be a virus. Do you want to allow access?” Is this being caused by Flixster?
you are fucking stupid!!!! Do u even have flixster? They ask u for ur fucking pass b/c they’re scared someone hacked in your account so they need to doubble check if it’s really u, BITCH!!!! F.U
STFU
“Flixter and Plaxo and services like them are preying on people’s ignorance” – are you kidding me? i’ve been a member of flixster for well over a year and not had any of the problems you people are talking about. i just make sure that when i join a site that wants me to invite my friends i dont invite anyone! none of my friends have ever had these spam emails from flixster. so can someone explain that? and no just in case you are wondering i dont work for them, i just honestly have never had this problem ever.
Says something about the motives of a site when the HEADER is a Google ad… Get out of my internet, please.
I nearly got caught with a Facebook one. It makes no mention of any of this stuff and asks for your gmail password when you sign up.
I am glad I am a paranoid person but a few of my acquaintances were not so lucky. Turns out my email address is in quite a few peoples address books who recently signed up for stuff like Flixster and Facebook…who knew I was so loved?
just started gettign these emails yesterday.
gotten a few so far from same sender – i doubt that that sender is adding me constantly/inviting me. so from my point its spam. well be adding their domain/ip’s to my networks lists. if this continues we will consider a Russian way to settle this.
HA I just was messing around on the site and took their movie compatability test, and guess what comes up after that? They offer to post a bulletin on your myspace for you. All you have to do is enter your myspace email and password! This is just preying on people’s stupidity. Thats a bad Flixter! Bad! NO! BAD!
Please send me a 1 billion dollars
whatever it’s going to takes
I agree with you Abby. Their “Unselect All” button not working on their site is not a “bug”. When I complained to Hannah, an administrator on the site who is labeled “the responsible one” she told me
it was my fault that I didn’t check to see if all my addresses were unselected-when on the screen they were unmarked and 1,500 weren’t. Not, “I’m sorry there must a glitch.” How convenient for them. Somebody needs to stop these arrogrant sleazoids!!
They are violating their own Terms of Service contract to be a member.
hello i want u to send me my bank account number to this email adress.
lary@fastermail.com
Just received this in my inbox, even though I have cancelled my Flixter account:
Someone tried to make a post with the subject “Welcome! 3 tips for using Flixster.” from the address “welcome@flixster.com”. The message body (after scrubbing it clean) was…
And then it had all these “tips”. These people are not this stupid. They are evil and trying to get away with things that should be illegal.
Abby
@Johnroe – Haha! Reminds me of that Seinfeld when he tells the telemarketer he’ll call her back when SHE’s eating.
Hey Joe G, why don’t you leave us YOUR ISP account information, we promise we won’t abuse it.
Obviously Flixster is willing to forge other peoples names in order to fool the receiver, this is a scummy practice to say the least, I have banned the site from all my clients networks, I advise all of you to do the same, these guys are behaving like criminals.
The basic concept of unlimited access to the user’s entire address book is the basis of the privacy violations Flixtr has stirred up. Flixtr is the only one of these sites to FORCE the user to enter the information just to sign up for the website.
If the “deselect all” button still has all of the email addresses selected, then it’s a bug and Flixtr is negligible with their coding and therefore can be held legally liable for emails the user did not want sent.
On top of that, there is no guarantee that Flixtr (nor any other website) is not using the information gathered for any purpose other than what they state. As has been stated several times before across several news/blog sites (including Slashdot), there is no easy way to police the internet. That said, if it’s OK for Flixtr to state in a legal document “I can’t believe you really clicked on this. What are you trying to find out?” and do what they do with private information then what stops other sites from doing the same? I think an example needs to be made of Flixtr.
The basis of a lawsuit is simple: AOL, Gmail, and Hotmail can easily sue Flixtr and other offending sites for using their customers’ private information for monetary gain. Unfortunately, I doubt the customers themselves will see any monetary benefit of such a lawsuit.
Also to the “K” poster who said “what’s the problem here?”
“The problem here” is that when you get down to it, the only people who sign up for services like Plaxo and Flixter are users that don’t know any better. Nobody knowledgeable about how these things work under the hood would ever sign up for this nonsense.
So that’s the first issue: Flixter and Plaxo and services like them are preying on people’s ignorance. Not in itself a crime, but it’s just plain unethical.
The second thing I touched on in my previous comment: The ignorant users that fall for Flixter’s or Plaxo’s spiel aren’t just giving up their own privacy, but the privacy of their friends! “My dumb buddy gave Flixter my email address, the bastard!”
I just can’t stand this kind of stuff. The only bright spark here IMO is that most of these services offer actually very little of value to their customers, so hopefully they will go out of business quickly. Then again, the whole MySpace craze completely mystifies me so probably I’m just out of touch (again).
–booj
The flixter guy mentions Plaxo in his comment — I hate those guys too.
Basically we need to really shine a spotlight on all these kinds of operations like Plaxo and Flixter — we need to raise public awareness that all these “social networking”-type sites do is offer you a product/service which doesn’t do much for you, and in exchange you not only forfeit your own privacy, but the privacy of everyone on your contact list! These companies should be ashamed of themselves, really.
And honestly, how hard is it to keep in contact with your friends and let them know what stupid movies you are watching these days? Is that worth giving up even one iota of privacy? Give me a break.
Regards;
–booj
What’s the problem here?
Flixster asks for permission to use your credentials. They’re clear about what they’re going to do. Either you give them permission or you don’t.
How do you know that they’ll keep their word and not spam everyone on the list? You don’t. If you don’t trust them, don’t give your credentials.
How do I know that Amazon isn’t going to use my credit card number to charge me tons of random stuff? How do I know that Charles Schwab isn’t going to send my money to employee’s uncle in Nigeria? I don’t.
This is no different. They tell you what they’re doing. If you don’t trust them, don’t give them the info. Where’s the issue?
Hate to say it but it looks like Anne is just trying to pump up site visits. She doesn’t even clearly mention that you can select exactly who receives the messages.
Her major concern appears to be that the email provider’s logo is on the page, making it look like an ‘official’ login page for the provider. Except for the huge banner above it that reads “Add Some Friends. The whole point of Flixster is to share movie ratings with friends”. Can we please move on to real issues now?
Clearly I have learned something about trusting online sites through this and will never, ever do it again. That said, I do think that if I give over my password to a site, then it should ONLY be used for the express purpose stated. I used it to send a one-time email to people I selected. There was bugginess: when I clicked unselect all, it failed to do that, and I’m lucky I noticed. Select all SHOULD NOT BE THE DEFAULT! That is a HUGE privacy violation. If I have given over my password (again, something I will NEVER EVER DO AGAIN), then damnit, you do NOT have permission to send more than that one email I approved. I have received reports from SEVERAL friends who received not just one, but 2 and 3 follow up invitations. Again, follow-up invitations SHOULD NOT BE THE DEFAULT! Always default to the minimal use of information people give you. To do otherwise will piss them off and make them blog about you, like I did. And it will makes them dismiss you as a spammer site, which you are.
You were not careful with my information, and I resent you for it. It has caused friends to mark me as spam (so potential employers have not been able to receive emails from me), it has caused a public post on my blog (because one of the addresses in my book was a “Post to Blog” address) that included my last name. A HUGE no-no given the fact that I am a psychologist. I vehemently protect my privacy online, and in your enthusiasm to get more participants on your ad-heavy site, you violated the careful rules I use when protecting my own online identity.
Maybe you really are as ignorant of your wrongdoing as you express here, but please wake up and realize that these kinds of default options are NOT COOL.
Joe from Flixster, yes, other social networking sites offer the same functionality; but Flixter is different. Not only do you include it DURING SIGNUP, but you make a point of pointing out a wrong password, and the ‘do it later’ link is very small compared to the ‘login’ page. (Not to mention the trademark violation by using the other companies logos without their consent.)
On Myspace, this feature is only available after account creation, and you have to go find it. On yours, asking for the customer’s email password is the SECOND STEP in the process. To someone who deals with average consumer computer security issues every day, this is a MAJOR breach of security.
Greg,
One thing is to ask for login details of some social network site, totally different story with your personal email. Social networking sites are public, but email is private. What will google find out from my social networking site, that is not already available through the net? By asking email login details, you are asking to give away a lot, lot more.
Al or anyone,
Is there anyway to stop Flixster legally?
I had also pressed unselect all and they still sent an email spam to everybody on my list except for a-d. I have not come across any other social network site who is so shady and misleading. Joe Greenstein is lying when he says LinkedIn, My Space, and every other social network do friend importing in exactly the same manner as Flixster. “Unselect all” should mean every email address and it does on other sites.
Stay away from Flixster.
It’s not uncommon for this to be done legitimately to ease the process for people. If you go to Google Video, they offer sharing options for posting their videos to your MySpace account, your blog, etc.
If you click that button and select one of four services (MySpace, Blogger, TypePad, LiveJournal), Google asks for your login details, then logs in to your account as you and posts the video as an entry.
The problem most people who offer web based services understand is that the more you can automate a process and let the site/service do the work, the more likely you are to get the user to the conclusion of the process.
It’s all about the pipeline. Maximum impact in the fewest number of steps with the least amount of user interaction. Don’t ask them to make choices or stop to type unless absolutely necessary. Select defaults and give, give them brighty and shiny “next step” buttons so they can click all the way through without thinking. Options for changing the defaults should be de-emphasized so you’re doing as little as possible to take them out of the “click-click-click” trance.
Sadly, this regularly leads to unintended results, such as what’s happening with Flixster. Rather than make people proactively select addresses from their address book, they make them proactively remove them. This isn’t malicious. It’s derived from the knowledge that if you don’t check off default addresses for them, if you make them stop and think, they may not start again.
Could Flixster improve their process? Surely. Is programmatically accessing your account for you and doing the work for you wrong? That’s grey. It reduces complexity and increases simplicity for the user. The downside is it reduces security and increases unintended consequences.
There’s a middleground here somewhere, some way to allow service providers to increase ease of use while allowing users to minimize security risks and unintended consequences… but that’s a much longer discussion.
Al –
Thanks for the reply. I agree with you that the world will be a safer place when all of these social web apps have secure APIs that you need a key to access so that they can ensure that people integrating with their service are legitimate and truthful about their purpose and not phishing or malicious. Unfortunately, we’re just not there yet.
FYI, LinkedIn, MySpace, and VIRTUALLY EVERY other major social site DO offer friend importing in exactly the same way as flixster:
(Myspace is broken for me right now – but i’ve used their contact importer several times)
Likewise, Slide, RockYou & every other leading “mySpace Widget” company ask for your username and password in order to auto-post their widgets on your page. They are not malicious in any way – its just where we are right now as an industry that these integrations have not yet been a automated.
And i agree with you – its a security concern and users have to be careful to only use reputable sites.
We work hard to make sure flixster qualifies in that category.
Sincerely,
Joe
I find it telling that “one of the founders of flixster” doesn’t know how to count.
How many other /hidden/ items are also “number 2” on his list?
Joe, interesting feedback.
Regardless, your methodology is a privacy disaster in the making. You’re programmatically accessing the accounts of others, and we have only your word for it that this access won’t be misused. If I were a mailbox provider who found you accessing our users’ accounts that way, my next step would be to pull in the legal team and figure out what recourse I had to make it stop.
You’re making yourself look like a very bad guy with this choice of methodology. This reminds me of how hackers get access to MySpace and other accounts in order to spam people. It’s actually all over the news lately, where people get tricked into giving out account passwords in the name of better friend tracking or friend notification, and then gosh knows what else is actually done with a user’s personally identifiable information.
Other social networking sites like MySpace and LinkedIn are able to offer users functionality to invite friends to join without similar negative privacy implications. These sites do not require your AOL/Hotmail/Yahoo password ever, for any reason. What makes yours so different, that it would be wise or safe for thousands of users to store thousands of passwords on your servers?
I rather suspect ISPs and webmail providers will be scrambling to block this type of account access, if they’re not doing so already.
Regards,
Al Iverson
http://www.spamresource.com
Hi Anne,
I am one of the founders of flixster. I happened upon your article via technorati.
As a social community on the web, we take issues of email privacy and permission very seriously. Obviously i am saddened by the way your article describes us. Let me clarify a couple things…
1. We do allow users to access common web-address books to select friends to invite. The whole point of flixster is sharing movie ratings with friends – so making it easy to invite people is very important for us. (This is also incredibly common practice around the web – see yelp/facebook/myspace and many others that also offer it. Plaxo actually offers a popular widget to allow any site to offer this feature).
2. We don’t do anything tricky or misleading. The invite friends screens are all clearly explained (visible even in your slightly fuzzy screenshots) and to actually send anything the user must click a button labelled “send invitations” on a screen with their friends names and a list of checkboxes.
2. We use the user’s credentials only to retrieve the contact list and then do not store them in any way. We absolutely don’t do anything malicious or affect their account in any way.
3. The user is then ALWAYS given the list of contacts and asked to select whom to invite. We do not invite anyone they do not select. Of course we want people to invite friends to come try our site – but it absolutely does not benefit us to send invites they didn’t intend and end up with angry users.
4. Once registered, users can control their settings on every single email we send – from weekly movie summaries to new friend requests. If you choose, you can receive no email from us at all.
5. We never sell, rent or buy email addresses from anyone. We are a small company. The intro to our terms of service was intended to be funny. In no way does it reflect us taking privacy issues lightly – which is exactly why we wrote our privacy policy in such clear terms.
Anyway, if you have any questions or want to discuss with me, drop me a note at the email above. i appreciate that your efforts are to help protect people from malicious or dangerous sites – a noble endeavor – i’m really sorry that you felt like our site fell into that category.
Sincerely,
Joe G
I’m not being snide, but why would any experienced user give their account password to anyone? This is tantamount to handing out your bank account number.
I am having EXACTLY this problem. It has been a total nightmare. Yes, I gave the password, but I’ve done that before, just so I could have easy access ONCE, then select those in my address book I wanted to invite. I clicked “unselect all” and carefully went through and selected only those I wanted to invite (about 5 people). I noticed that although I’d clicked “unselect all”, there were about 40 addresses at the end of the list still checked. I manually unchecked all of those then hit send. Well, I’m guessing that that was about page 1 of 3, because EVERY other name in my address book was invited: professional contacts, old boyfriends, etc. It even sent mail to my “post to blog” address so that my first and last name were posted on my blog (something I never do). I think that so many people got those emails from me that a few clicked Spam on me. Since then, I’ve had people at places I’m interviewing report that they were unable to receive emails from me. My best friend can’t receive emails from me either. Flixter is purely evil. I will never EVER use a password to gain access to my email address book again. This is a total violation of privacy, and I am not happy about it.