What's the book corporate America doesn't want you to read? Find out now -- or you could get scammed.

Unethical pre-checking: How StumbleUpon hijacked my address book

October 2, 2007

In the travel industry, “pre-checking” is limited to a few ethically challenged companies. But outside travel, anything goes — particularly if you’re in the ultra-competitive Web 2.0 space. I discovered that when I signed up for StumbleUpon yesterday evening, to the detriment of many of my friends and professional contacts.

First, an apology. If you received an e-mail from me that started, “Elliottdotorg wants to share sites with you… ” feel free to ignore it. It wasn’t me.

Here’s what happened. Last night, a friend invited me to join StumbleUpon, which “helps you discover and share great websites,” according to its mission statement. I was intrigued, because I had been tracking a lot of traffic from StumbleUpon lately. Maybe I should sign up for it, I thought.

After I created an account, I downloaded the toolbar for my Web browser, and then it asked me to invite my “friends.” This is not unusual for a social networking site.

But what happened next is unusual.

I told the site that I had a Gmail account, and it offered to send out two categories of invitations on my behalf. Either invite friends who already have StumbleUpon accounts (good idea) or invite everyone in your address book — nearly 9,000 people — to sign up for StumbleUpon (not a good idea). I unchecked the second option and then scrolled up and checked on the first.

The system then automatically, and without my explicit approval, checked everything. By the time I knew what was happening, everyone was getting an invitation to join StumbleUpon.

Now, if you’re a friend of mine, you can probably just laugh this off. But this e-mail went to everyone I had sent a message to in the last four years. And there were people in there who I’m sure did not want to hear from me.

To them, let me say again, I’m sorry.

This morning I learned that StumbleUpon may do more with these addresses than it leads us to believe, and that really, really irks me.

StumbleUpon needs to fix this. Right now.

Pre-checking boxes is completely unethical. And repurposing email address from invitations is a very questionable business practice, if it is indeed true.

What’s the lesson learned? Beware of these social networking sites, but more importantly, read every part of the page when you buy something online. That includes any transaction with a travel company.

Update: I have sent the following e-mail to StumbleUpon:

I opened an account with StumbleUpon yesterday. I am writing because of something that happened during the “invite friends” process, and I am extremely concerned about what will happen to the email addresses I inadvertently gave you.

I was offered the option of inviting friends from my Gmail account. There were two choices: Either invite friends who already have StumbleUpon accounts (which I wanted to do) or invite everyone in my address book — nearly 9,000 people — to sign up for StumbleUpon (which I did not want to do).

I unchecked the second option and then scrolled up and checked on the first one.

Your site then automatically, and without my explicit approval, checked every email address in my address book By the time I realized what was happening, everyone was getting an invitation to join StumbleUpon.

May I politely ask for your assurances that the email addresses to whom I inadvertently sent invitations be kept private and will not be added to any list used for marketing purposes by you or any third party?

May I also suggest that you address this apparent coding problem at your earliest convenience? I know of several other users who have made the same mistake. I believe that the way your sign-up process works is misleading, and needs to be clarified.

Stay tuned for the answer.

Christopher Elliott is the author of Scammed: How to Save Your Money and Find Better Service in a World of Schemes, Swindles, and Shady Deals. Critics have called it “eye-opening” and “inspiring” — it’ll “grab your attention and won’t let go.” Order your copy now on Amazon, Barnes & Noble or iTunes.

24 comments

  • Joe F.

    Elliott – send them an email to close and terminate your account. Unfortunately, you gave them full rights to use the emails addresses which you gave them since there is no limitation on THEIR right to use what you gave them.

    I would send them an letter which states:

    1) you did not intend to give them permission to use the information you gave them for any purpose unrelated to your use;
    2) there was a misunderstanding as to how they would use the information.
    3) there was no meeting of the minds nor agreement as to the scope of their use
    4) therefore, they lacked your consent to use ths information for their own advertizing purposes.
    5) You want a commitment to delete your account and to delete the authorization to use any email addresses harvested from your account, and a promise never to use them for any purpose in the future unless they obtain that email from another source, and finally, the piece de resistance –

    6) – you have a bully pulpit on MSNBC.com and as a member of the press can bring down all sorts of unwanted attention on their website – and have it published on a major website, and then also on majort TV news outlet.

    7) If the threat of bad press does not deter them, if they refuse you will inform their advertisers of their unethical business practices and that you, on your audited blog, and email seen by XXX thousand of people each week, recommend that your readers not patronize the businesses that advertize on Stumbleupon. . . .

    See what they say . . .

  • Chicky

    Ooooooooh, Joe. Now THAT’S what I call a LETTER! LOLOLOL. That oughta have ‘em falling all over themselves to help Chris get his account cancelled. Heheh.

  • Randy

    This is why when I get invited to one of these sites and the ‘invite’ page comes up I go back or somewhere else, anywhere else but there. As far as I’m concerned my mail list is private and none of anybodies, especially a websites, business.

  • Jonathan

    I would also remove the link to their site from your posting. The last thing you want is someone inadvertently going there, signing up…and propagating this insanity.

  • http://reinventioninc.blogspot.com kirsten

    same thing happened to me (when I received your email announcement). not sure what i can do to make amends to my friends or to delete my connection to StumbleUpon! boo. :(

  • Dave Sturtz

    As soon as I read this I uninstalled StumbleUpon, and told it to cancel my “account.”

  • Gail

    HI Elliott – I got their email invite and immediately was suspicious since I had never received unsolicited emails from you or your site. Plus the gmail address on the from line was a big tip off that something was fishy. Gmail is almost always used by individuals for personal emails not for business or social networking. They should call it StumbleBum. Go after them with a vengance! Talk about them pirating your personal and business contacts using highly misleading (and unretractable) prechecking sign up webpage. You know, maybe they had a good idea to bring a wider variety of websites to the attention of interested folks, but by using prechecking they signal that they are just another flash in the pan marketing ploy. You can let em know for me that I’ll be warning everyone I know that StumbleUpon is bad news!!

  • http://none Aaron

    Here’s another example of unethical pre-checked checkboxes:

    On a recent United Flight, I used a check-in kiosk, which told me I could purchase 5″ extra legroom. I think the cost was roughly $25 per segment, and I was on a two segment flight.

    Just as I was about to hit “continue”, and proceed with check-in, I noticed the Kiosk had PRE-CHECKED the options…. to decline, I had to manually uncheck each extra-leg-room purchase!

    I find it completely unethical of UA to almost forcibly sell me an upgrade to the ticket. As a traveler, I’m trying to check in, get through security, and get to my gate quickly and smoothly. Watching out for aggressive upselling and bait-tactics is *not* what I should be focused on. I suspect many travelers may be more tired, more weary, more stressed, and less attentive than I was.

    I hope you’ll consider investigating this practice and blogging about it.
    -Thx! Aaron

  • Ron

    Elliott

    I got the invite too. I recognized the Elliott part of the email, but I also didn’t remember you using a Gmail account. I was surprised at the incoming email address, as it is one I only give out rarely.

    You may as well delete that Gmail email address of yours, as I have already blacklisted it from my email program, and many others will probably do the same….it is in the wild.

    I know it is not totally your fault, but thanks for also putting my personal email address in the hands of spammers. I have an address I use for everyday emails, and another I give to people that I trust (That was the email address I gave you). If email comes in on that trusted address, it has an added level of legitimacy in my eyes, but not any longer.

    As you tell us in your columns, check the fine print, read to the bottom of every page, and make sure you only checked the boxes that you wanted checked.

  • Christopher Elliott

    I’m still baffled at how efficiently StumbleUpon harvested my entire address book, and appreciate all of the advice in the comments. I’ve spent some time on the site today and am disappointed by the experience. Although there’s no hard evidence that StumbleUpon will continue using these e-mail addresses, I’m going to write them to ensure they are never repurposed.

  • http://www.nancyredd.com Nancy Redd

    I submitted this to Consumerist because it is VERY important to know – what an invasion of privacy (not to mention embarrassing regarding exes and other contacts who have fallen by the wayside)!

    Spirit Airlines almost gets me all the time with their pre-checked Travel Insurance or whatever that is. I’m sure tons of people get scammed and pay for it when shopping for super cheap flights on their site.

  • http://www.bonjourparis.com Karen Fawcett

    Chris … I do EVERYTHING you say but boy was this a whammy.

    I do hope I’ll have some friends left after StumbleUpon “helped itself” to my address book. wow….what a scam!

    BUT – you’re still the best.

  • Chicky

    Yeah, those pre-checked boxes are insidious. I always look for them, anytime I have to set up anything online. It’s a creeping menace. Sheesh!

  • Ed Ferrell

    LinkedIn seems to do something similar. While I don’t think it sends emails it did scour my address book and compared it to those who’ve already signed up for LinkedIn. And I think all without my asking them to.

  • Eli

    My wife ran into the same problem with a site called Quechup.com. Someone sent her an invite and when she signed up, she unchecked the box for her gmail address book, but it still sent it to hundreds of people. The worst part was that gmail automatically stores addresses you have replied to on a one-time basis. So it sent an invite to more than just the regular people on her contact list.

  • http://jeffreykafer.spaces.live.com/ Jeffrey Kafer

    I had the same problem with Quechup.com. Sent stupid emails to everyone, hundreds of people. And I’m a voice-over artist, so it sent emails to clients, former clients, agents, contacts, etc. Totally embarrassing. I feel your pain.

  • Jonathan

    Well, at least all you could give them of mine own info, was the “junk mail” info I had given to you (an alternate email and pseudonom, I only use for subscriptions).

  • Joe F.

    Hey – their sign up program email harvesting does not work with macs. We tried with a new mac using a bogus set of addresses here in the office. It did not and could not find the entourage or MacMail address book. Yet another reason to own macs.

    I would be interested to see which browser you were using when your address books got hijacked – I would be willing to bet it was 100% Internet Explorer – since the click to sign up probably added an active x control to look for the outlook and outlook express address books and automatically harvest them.

    Chris, I’m with Ron above – how did you fall for this one!?

  • http://www.azmortgageguru.com shailesh ghimire

    Same thing happened to me. It really irked me as well. A few friends e-mailed me back and asked what it was about. Most folks ignored it.

  • Atticus Rominger

    They got me. I signed up, figured Chris was on to something good. It just goes to show you, though, underhanded deeds don’t pay in the long-run. I was skeptical enough not to share withe any friends… and now I’ll be unsubscribing.

  • http://eric.stumbleupon.com/ Eric Goldberg

    (Posted this on your follow-up article as well)

    Hello,

    I’m an engineer for StumbleUpon, and I am implementing a fix for the problem you note herein.

    The root of the problem is, both “Select All” controls check/uncheck *all* checkboxes on the page, not just the ones in the section they are nearest. So when you deselected the bottom Select All, you deselected both emails and friends already on SU. Then when you selected the top Select All, you reselected everyone on the page.

    As more and more people join StumbleUpon, more data is pushed “below the fold” on the Invite Friends page, and the functionality of the Select All controls become less and less clear.

    As a fix, I have recoded the controls to only select/deselect the checkboxes for the section above which they sit. This should make it more clear to our users which boxes will be checked and unchecked.

    Also, we do not store your login credentials in any way, nor will we spam your friends.

    Thanks,
    Eric Goldberg
    StumbleUpon Dev Team

  • Christopher Elliott

    Eric, thanks for jumping in with an answer. It’s very much appreciated. I think the change you’ve made is a step in the right direction. But let me also suggest adding an “are you sure?” screen after people have designated who they want to invite — something that says, in effect, “You are about to invite the following 9,000 people to join StumbleUpon.”

    Also, the “opt-out” on the invites has freaked a lot of people out. It implies they’ve been added to some kind of list. Maybe there’s a way of clarifying that this is a one-time invitation without scaring them. Just a thought or two.

  • http://www.marilynsholin.com/blog Marilyn Sholin

    Remembered this happened to when it happened to me today with a site called TAGGED. Do not join, if you did get OUT now. It told me I had people already in my address book that were TAGGED members and to log in to see who they were. It then proceeded to steal my address book and send an invite (without asking my permission) to everyone in there. This is taking hours of my time to get my friends family and opt ins to newsletters (8000 email addresses!) out of TAGGED.

    At this point it also has me too busy fixing things to get to the bottom of them. But eventually, I will.

    Marilyn

  • Hillel Max

    i wanted to share a video with two friends, somehow it had all my email addresses i ever used in aol and sent the video to everyone, the select all button was checked by default and i did not realize it. I an not figure out how to remove my contacts. I hate this website now even though the concept is great.

Previous post:

Next post: