Business is business, but some things are dishonest, and dishonest usually gets away scot-free on the Internet. You can learn a lot about what legitimate looking sites are capable of, and what ordinary users are willing to do when asked, from the example of Tagged.
Tagged is one in a flood of new social networking sites targeting teenagers. Theyre all MySpace wannabees, and perhaps some of them are harmless, but Im going to focus on Tagged. It first got my attention several weeks ago when I got about six e-mails in rapid succession from her. They were obviously auto-generated invites to join a site and said “[my friends name] has added you as a friend on Tagged,” and “Please respond or [my friends name] may think you said no :(“. I could tell right off something phony was going on, but I still had better things to do, so I passed, and my friend was apologetic about it. I wasnt the only one who got the e-mails.
Then I read this blog entry from Symantec and it explained how my friend might have gotten hit: “…when a user signs up for Tagged, theyre practically forced to put in their Webmail credentials. Tagged then logs into your Webmail account as you, accesses your address book and prompts you to e-mail your contacts using your Webmail address as the reply-to.” At this point, I have to figure the phenomenon is maybe bigger than I thought and decided to do some testing.
First, its worth noting about the invitation e-mail that its sent with a From: and Reply-To: header of the members e-mail address, but its actually sent through the tagged.com mail server. They use an envelope-from address of firstname.lastname@example.org so that they pass SPF (sender policy framework) tests (a good example of the useful limits of SPF). In most mail clients, the message ends up looking like it came from your friend, so you dont want to block the address.
I set up two Gmail accounts specifically for the testing and a number of e-mail aliases on domains I own to be my “friends.” I put these aliases in the address books of the Gmail accounts. Signing up for Tagged (which, I admit, I did under an assumed name), was easy enough, although I did quickly run into what Symantec describes. I was prompted for my Gmail credentials. They already knew my Gmail user name since I had provided it as an e-mail address. There is no option here but to provide a password:
Before too long the addresses in my Gmail address book received invites like the one I received. I later figured out that you can provide an incorrect password here, and it lets you proceed. Incidentally, they have similar functionality for AOL Mail, Hotmail, Yahoo mail and MSN mail.
Before I actually signed up I decided to read their TOS (terms of service), something Im sure none of the teenagers they target have done. Its long and a genuine Nightmare on Elm Street for the abusive and, while were at it, misleading rules for privacy.
The Terms of Service
Here are a few highlights from the TOS which, so it says, was updated as of October 18, 2006:
- Tagged reserves the right to modify or amend this Agreement at any time, for any reason, or for no reason at all, at Taggeds sole discretion. —And theyll post the changes but wont otherwise notify you, and its your job to check the TOS page. Perhaps this is standard practice, even if it makes it impossible to follow the rules.
- During registration, users also complete survey questions that provide information that is helpful for us to understand the demographics and consumer behavior of our users, such as identifying the users eye color, style, personality type, favorite color, sport, food, activity or TV show, post-graduation plans or graduation year. —Eye color? This gets even creepier when you hear the rest of the rules.
- From time to time, Tagged may share the e-mail address and/or other personally identifiable information of any registered user with third parties for marketing purposes. You may opt-out from receiving marketing messages from our partners at any time by using the following link: http://g.trackbot.com/dne?l=705f227&e. In addition, Tagged may share a registered users e-mail address with third parties to target advertising and to improve user experience on Taggeds pages in general. —So they can share your eye color, your school, etc., with anyone they want, for marketing purposes. This is the heart of what Tagged is about of course, building a database with all this PII (personally indentifiable information). As far as I can tell, under this agreement they can sell your Gmail login credentials too. And who are the third parties to whom your PII may be sold? Spammers? Pornographers? That would be cool under this TOS.
- Users have the option, within their Internet browsers, to disable cookies and continue to access the Tagged website. —Not true. I tried. If you disable cookies it wont let you log in and says that you have to enable cookies.
Pixel tags are tiny graphic files that are included in HTML-encoded e-mail messages. We use pixel tags to gather information about the e-mails we send to our registered users. When such a message is opened in an HTML-capable e-mail program, the recipients computer accesses our server to retrieve the pixel tag file and allows us to record and store the date and time, the recipients e-mail address and other standard logging information. The pixel tag also may read cookies. Tagged Web pages may also contain similar pixel tags that allow us to count users who have visited those pages to compile aggregated statistics about site usage and to deliver co-branded services as they become available. Tagged pixel tags collect only a limited set of information including a cookie number, time and date of a page view and a description of the page on which the pixel tag resides. Tagged Web pages may also contain pixel tags placed there by third-party ad servers, to monitor the effectiveness of their advertising. —Pretty good description of what I always called “Web bugs.” But they dont just send them, as the TOS says, to their registered users. The invitation e-mail I received from my friend had this tag in it:
<img src=”http://www.taggedmail.com/imgsrv.php?uid=12345678″ />
Obviously a “pixel tag.” The whole point of this, and the basic point of the cookies is to track you, and then to sell the information they collect.
Nothing in the TOS says that they will be harvesting addresses from your address book, nor what they are entitled to do with those addresses. Perhaps they consider these addresses as being provided for invitations to Tagged, but thats clearly not true.
I also tested canceling my Tagged account and the process seemed to work, but you need time to really judge such things. For instance, even though I cancelled are they still selling my PII?
To answer this question and to give Tagged a chance to respond I decided to contact them but ran into problems. They have no contact link on their page, and the closest link they have to one, with company information, is to http://corp.tagged.com/, a dead link. Why am I not surprised?
I have seen the future of teenage exploitation, and its on social networking sites. Even the “legit” ones like MySpace creep me out some, and Im sure Tagged isnt the only one thats scams and abuses its users. When users are willing to provide their e-mail login to a Web site, you know we have a long way to go to make the Internet safe.
Security Center Editor Larry Seltzer has worked in and written about the computer industry since 1983.
More from Larry Seltzer