Address harvesting through social networks

The next killer ap on the Internet seems to be social networking. Everyone has a great idea for the next facebook or or myspace. All of these sites, though, have to find users. The site will fail if there are no users. One way to get new users is to ask all your current users to invite all their friends to join. This tends to lead to the marketing / product decision to insert functionality into the social networking site which allows current users to upload their address book and the site itself will send out invitations to all your friends and contacts.
This is not actually as great as an idea as it sounds, however. First, you end up with situations like what happened to me this past week.  On Wednesday I received the following email:

Hi,
I looked for you on Reunion.com, the largest people search service — but you weren’t there.
See who else has been searching for you! Click here.
—Bob
Reunion.com – Life Changes. Keep in Touch.™
You have received this email because a Reunion.com Member sent an invitation to this email address. For assistance, please refer to our FAQ or Contact Us.
Our Address: 2118 Wilshire Blvd., Box 1008, Santa Monica, CA 90403-5784

Bob is actually a current client and I recognized his full name in the from address. Bob has my current information and we have had contact within the last few weeks so I know he is not actually using reunion.com to try and find me. I spend a few minutes poking at reunion.com trying to figure out how to make the mail stop and make sure they never bother me again, discover they do not want to make that easy and give up. I can always block them if their email becomes annoying.
The next day, I receive an email from Bob, it says:

All,
If you received an email from reunion.com on my behalf, please IGNORE it as that email was sent without my knowledge and I have not sent it willingly. This email was sent to all my contacts in my email address book.
I have already cancelled my account on that site and it is really weird that the site would do this without my permission.
The site is “force inviting” people from your contacts if you register on the site, which is very annoying.
Thanks,

Bob

Because of this behaviour, reunion.com has now lost one registered user, and he has told all his contacts to avoid the site in the future.
Reunion.com is not alone in their rush to grab any address they can get a hold of. Most sites will let you upload address books, or your account information so they can mail all your contacts introducing their new product. It is an attempt to appear to be organic viral marketing, but it is not. In point of fact it is no different than randomly harvesting addresses off websites and mailing them.
Social networks need to be very careful about appropriating addresses and assuming permission. This week, reunion.com appropriated both Bob’s address and my own and assumed they had permission to email me on Bob’s behalf. In fact, they did not have Bob’s permission to appropriate his address and they certainly did not have my permission to contact me.
Many newborn social networks are using similar types of spam to spread their presence. It remains to be seen if this is a working strategy or if they are forced to actually start actually caring about permission.

Related Posts

Email related laws

I’ve been working on a document discussing laws relevant to email delivery and have found some useful websites about laws in different countries.
US Laws from the FTC website.
European Union Laws from the European Law site.
Two documents on United Kingdom Law from the Information Commissioner’s Office and the Data Protection Laws.
Canadian Laws from the Industry Canada website.
Australian Laws from the Australian Law website.

Read More

How much mail?

Yesterday I had a call with a potential new client. She told me she had a list of 4M Yahoo addresses and she wanted to mail them twice a day. Her biggest concern was that this volume would be too much for Yahoo and her mail would be block solely on volume. As we went through the conversation, she commented that this list is also being used by someone else she knows and they were getting inbox delivery at Yahoo on every mailing.
From other bits of the conversation, I suspect that these are not the only two people using this list, but I have no feel for the volume. But how much email is each person on that list receiving a day?
I have a current client who is in a similar field to the above potential client. I signed up for their list back in December. Since then I have received 1728 emails to the address I used on their site. 4 of those emails have actually been from my clients, the rest were stolen by a partner of theirs and sold off to all sorts of mailers. Yesterday I received 40 emails.
I just cannot see how this is a valid, long term business model. The bulk of these mails are advertising payday and other kinds of loans. Some of them are duplicate offers from the same senders (judged by CAN SPAM addresses) using different From: lines. The mailbox these mails are filtered into is completely useless, it has been swamped by loan offers. I cannot imagine that anyone, even someone looking for a loan, is receptive to this much email. The only thing I can figure is that the mailers believe that if their email is the one at the top of the mailbox at the exact moment the recipient gets most desperate for money in their bank account tomorrow they will make the sale and get paid.
This model is going to be less and less viable as time goes on.
On the permission level, there really is no permission associated with that email address. Sure, I could call up the former client of mine who mailed that address today and challenge them to show me where they got the address and they would probably tell me they bought it from that company over there. But when I submitted my email address to my client’s site, I did not expect to receive offers for Mickey Mouse Collectible Watches. It certainly is not what I signed up for.
Not only is the permission tenuous, but ISPs are moving away from a permission based model for access to their subscribers. What they really care about now is how recipients react to email. An email marketing model based on getting as much email in front of the recipient as possible will be harder and harder to be profitable as ISPs get better at measuring how much their subscribers want email. The mailers who get good delivery are those are able to make the mail interesting, wanted and relevant to recipients.
It is difficult for me to imagine a case where you can make 2 emails a day relevant to 4 million recipients.

Read More

Permission, Part 2

Permission Part 1 I talked about the definition of permission as I use it. Before we can talk about how to get permission we need to clarify the type of email that we’re talking about in this post. Specifically, I’m talking about marketing and newsletter email, not transactional email or other kinds of email a company may send to recipients. Also, when I talk about lists I include segments of a database that fit marketing criteria as well as specific list of email addresses.
There are two ways that recipients give permission to receive newsletters or marketing email, explicit permission and implicit permission. Recipients give explicit permission to receive marketing email when they sign up for such email. Implicit permission covers situations where a user provides an email address, either during the course of a purchase, a download or other interaction with a company. There may be some language in the company’s privacy policy explaining that recipients may receive marketing email, but the recipient may not be aware they will receive email.
The easier situation is explicit permission. There are two basic ways a company can gather explicit permission to send marketing email: single opt-in and double (confirmed) opt-in.
Single opt-in: Recipient provides an email address to the sender for the express purpose of receiving marketing email.
Double (or confirmed) opt-in: Recipient provides an email address to the sender for the express purpose of receiving marketing email. The sender then sends an initial email to the recipient that requires a positive action on the part of the recipient (click a link, log into a web page or reply to the email) before the address is added to the sender’s list.
There can be problems with both types of opt-in, but barring fake or typoed email addresses being given to the sender, there is an social contract that the sender will send email to the recipient. I’ll talk about single and double opt-in in later posts.
Implicit permission covers a lot of situations where email is commonly sent in response to a recipient giving the sender and email address. In these cases, though, the recipient may not be aware they are consenting to receive email. This behavior may annoy recipients as well as causing delivery problems for the sender. Common cases of implicit permission include website registration, product purchase and free downloads.
More responsible companies often change implicit opt-in to explicit opt-in. They do this by making it clear to users that they are agreeing to receive email at the point where the user gives the company an email address. Not only is the information about how email addresses will be used in the company’s privacy policy, but there is a clear and conspicuous notice at the point where the user must provide their email address. The recipient knows what the sender will do with the email address and is given the opportunity to express their preferences. If users do agree to receive email, the company will send a message to that recipient with relevant information about how their email address will be used, how often they will receive email and how they can opt-out.
Explicit opt-in is the best practice for building a list, however, there are still companies that successfully use implicit opt-in to build marketing lists. Companies successfully using implicit opt in usually are collecting emails as part of a sales transaction. There is very little incentive for their customers to give them an email address not belonging to the customer.
Outside of purchasers, however, implicit opt-in leaves a company open to getting email addresses that do not actually belong to the person providing the company with the email address. This most often occurs when the sender is providing some service, be it software downloads, music or access to content, in return for a “payment” of a valid email address. In order to protect against users inputting other, valid addresses into the form, the sender must verify that the address actually belongs to their user before sending any sort of marketing email. The easiest way for senders to do this is to send a link to the recipient email. This link can be the download link, or the password to get to restricted content. Because the recipient must be able to receive and act on email, the only addresses the sender has belong to actual users of the site.
In some rare cases, implicit opt-in can be used to build a list that performs well. However, senders must be aware of the risks of annoying their customer base and the recipient ISPs. Mitigating these risks can be done, but it often takes more effort than just using explicit opt-in in the first place.

Read More