Rapleaf and the Facebook Privacy Ruckus

40 thoughts on “Rapleaf and the Facebook Privacy Ruckus”

  1. thanks for writing the article and following up with the various parties involved. it is a bit scary that tools like Rapportive might be sharing information back with RapLeaf.

    i think the nature of information sharing between services is exceptable if the user is presented with some knowledge of how that information is being shared.

    learning about it after being a user of these services is where users feel betrayed.

    look forward to your updates tomorrow.

      1. Rahul, The bottomline is that your product is providing many of your users email contacts and realnames to Rapleaf. That just sucks! If these users don’t have a dossier at Rapleaf then you just started one for them! I am confident if your homepage explained that clearly (and accurately described what Rapleaf does as its core business) then you would see a significant drop in the useage of your product. Very lame. I think you are being very dishonest.

      2. Daniel, I’d like to correct two important misconceptions about our product and Rapleaf:

        1. We are not sending any real names to Rapleaf. As far as we know, neither are Gist, eTacts or any of Rapleaf’s other customers.

        2. We have vetted Rapleaf’s privacy policy and business model very carefully. You seem to believe that they sell the actual email addresses, which is incorrect: they sell information about email addresses. In particular, they sell publicly accessible information. And most importantly, they sell publicly accessible information about email addresses only to organizations which *already have* those email addresses.

        Please take some time to think that through. Rapleaf does not provide information about an email address to an organization which did not *already know* the address. (And if they did, we would leave them.) That is key.

      3. Rahul,
        Your reply to Daniel mentions that you are not sending back real names to Rapleaf but doesn’t address his point that you are sending email addresses back – I guess you don’t consider this as “data”.
        The problem with your argument is that Rapleaf can use “customers” such as yourself to actually harvest email addresses against which they can run their scrapping engines to attempt to construct social profiles for the said address. Thus, whether intentionally or not, you are helping Rapleaf seed their database and to the specific point at hand, you are being disingenuous by claiming that you are not sending back any data to Rapleaf.

      4. Rahul, Say what you want but based on your words above at the very least it’s safe to assume that your service is assisting RapLeaf in several ways.

        (1) data collection: by sending RapLeaf my friends email address you are indirectly informing them that an account exists whether or not it is currently in their database!

        (2) verification: the way your app collects and sends email addresses to RapLeaf verifies by default that an email account is currently active!

        There is simply no way to deny those two points. Without digging into your code and/or sniffing packets I will take you at your word that you aren’t sending additional data besides my friends email addresses but that really is besides the point. I’m offended you’ve given my friends data over to a 3rd party! I’m sure my friends would be furious with me if they knew I was doing this to them via your service. You make none of this clear on your website either.

        Like it or not your service is creating a marketplace for user data that most internet users do not want to be harvested and re-sold by 3rd parties. Maybe you should aim to say not just that your “users’ privacy is sacrosanct” but that your “users’ data about their friends is sacrosanct too.” There are other ways to do what your doing without involving a sketchy middleman.

      1. Go ahead. Opt out. But then this terrible Rapportive add-on which is likely being used by at least one of your friends will just re-submit your data back to Rapleaf and your account will be reactivated. Seriously. That’s how much this entire situations sucks. Rapportive doesn’t need to pass additional data – your realname and email address are plenty!

      2. Daniel, as above I’d like to correct some misconceptions: a. we are not passing back real names or any “additional data”, and b. that’s not how opt-out works. As Marc and Azeem have pointed out, the opt-out in fact opts you out. Permanently, both for Rapleaf and its entire ecosystem. Your account cannot be “reactivated” by somebody looking up your email address.

      3. Rahul,
        How does this work in practice? Since you are also caching this data on your servers, do you delete say Om’s profile information from your servers as well once he opts out of Rapleaf from their website? Do you get a trigger from Rapleaf asking you to delete this information?
        Does it work the same way for every customer who is using Rapleaf? What is the guarantee that every customer would also do likewise?
        I severely doubt that this is the case…

  2. Om,
    Rapleaf actually sells profile information to companies like Rapportive at the rate of 5 cents or so a pop – this is their core business model. So there is no quid pro quo required in terms of Rapportive et al to share back any data to Rapleaf.
    The bigger worry – beyond the fact that Rapleaf can construct a social profile on the basis of an email ID – is that each of their customers are also presumably caching this data on their own servers (why pay more than once for the same profile result) and this opens up multiple leakage points for this data to be potentially used in a malafide manner…who is going to police this even if Rapleaf ostensibly respects some privacy/opt-out controls?
    Cheers,
    Sumanth

    1. Sumanth

      Thanks for the comment and offering details. I am not clear on Rapportive and if they send information back to Rapleaf or not. We are waiting to hear back from them.

      On the second part of your comment, I indeed agree with you. It isclear that even if you opt out of the service, there is little you can do about all the data that is already out there.

  3. The data held by Experian and Acorn and folks like that is pretty phenomenal–these are models that have been built up over many many years.

    But the big distinction with the old style folk and new providers (like Rapleaf) is the presence of the opt-out. The opt-ing out is much easier and baked into Rapleaf’s website/business (at least it was last time I checked).

    Rapleaf does seem to sail close to the wind, but I don’t think it is much closer necessarily than many established firms like Experian or Acxiom or CACI — it’s just that it sits on the pulse of the Valley echochamber, so seems to attract undue attention.

    You can take email addresses to many vendors and be given details on likely income, address, household size and a host of other variables.

    This data cat has been out of the data bag for a darn long time.

    1. @Steve. The “Gist Promise” is unclear, using terms like “your data” and “user data” without pinning them down.

      Please state what you mean by “data”, “your data” and “user data” (e.g. do they include “email addresses”) and “not share” (e.g. does this include not using data in an API call).

  4. [posted this yesterday – not sure if it’s stuck in moderation]

    Om,

    Thanks for writing the blog post, you’ve surfaced some solid points.

    1. Flowtown does not pass back data to Rapleaf or any other data partner.
    2. We’ve always been hyper sensitive to make sure we’re stewards of good data and make it easy to opt-out.
    3. We’ll be publishing explicit details on what data we aggregate, how it’s used, and our policies around it.

    Best regards,

    Ethan Bloch (@ebloch)
    Co-Founder, flowtown.com

    1. @Ethan A few questions:

      1. Are you saying you don’t pass email addresses to Rapleaf to get additional data about those accounts? Sounds hard to believe.

      2. Where is the URL for me to opt-out of having my email/user data used by Flowtown?

  5. Hi Om,

    I wrote a blog post several months ago about how to find a person’s email address, verify it and then use other services to enrich it. I never published it due to not being totally comfortable with what I have written. The process involves (where the email address is not known):

    1. Guessing the email address (there are number of ways)
    2. Verifying this using the largest professional network (and if needed the largest social network)
    3. Once verified, add to web applications that could enrich the email addresss by finding out social profile and then automatically capture every updates of her/his web activities.

    In addition, there are many startups offering digital cards where individuals willingly add their profile data.

    Given above, it is unclear who is the bad guy in this case, as we have all provided the information willingly in the first place to various web applications. Selling our data to third parties was pioneered by people such as Experian, and it happens every day whether we like or not.

    Perhaps, there ought to be set of best practices that reputable applications will adhere to. You can take it to another stage by allowing third party audits, etc.

    Not a simple issue…I am glad you raise it though..

    Best regards
    Manoj

  6. I was just contacted by RapLeaf and they told me that they are no longer providing Social Profile Links (end of this month). 2 questions: What will happen to companies like FlowTown? Where can we get this data from now?

This site uses Akismet to reduce spam. Learn how your comment data is processed.