Quechup

Last updated

Quechup (kway-chup) was a social networking website that came to prominence in 2007 when it used automatic email invitations for viral marketing to all the e-mail addresses in its members' address books. [1] This was described as a "spam campaign" and raised a great deal of criticism.

Contents

Address book harvesting

The automatic invitation of all the contacts in the e-mail address books of people who signed up to their service was controversial for two reasons:

  1. Without explaining intentions, Quechup required permission to access the address book. [2]
  2. Invites were sent to all addresses in address books without permission of e-mail address owners.

This attracted a great deal of criticism [3] in September 2007.

Reacting to the criticism, Quechup's parent company iDate Corporation made a public statement on 17 September 2007, [4] stating that:

"Quechup was one of the first social networking sites to include such a feature back in 2005. With its growing popularity (social networks), expectations of what features a service should have and how they should work have emerged. Quechup's address check did not conform to what users now expect as the norm."

Much of the criticism focused on misleading users by hiding the nature of the feature in the 'small print' of the site terms [5] and not specifying it in the Quechup privacy policy, which stated only, "You agree that we may use personally identifiable information about you to improve our marketing and promotional efforts, to analyse site usage, improve our content and product offerings, and customize our Site's content, layout, and services.". [6]

While admitting the campaign was misleading, technology blogger Chris Hambly pointed out that text explaining how the feature worked was placed in normal print directly above the feature, raising the question of a user's responsibility to read what they agree to, although he noted that this explanatory text failed to clearly state what would happen. [7]

However you view this, no matter what your opinion is on this the fact of the matter is that you should READ what the page says as it is very clear. In any case there is a link which says "I don't have an address book"!... I can only say you should READ these things clearly in the future, it’s quite simple.

In their 17 September statement, Glen Finch, Chief Technology Officer stated

"It's important to confirm a few points. That the address book checker has always been an optional feature for members, they are under no obligation to use it and we provide relevant links for members to skip it. The explanatory text as to what it entailed and the terms of its use have always been stated directly on the page. We are well aware that Internet users frequently confirm they have read and agreed to lengthy all-encompassing terms and conditions rarely having actually read them. Therefore we deliberately included the explanation and terms of use directly on the page above the feature itself to avoid confusion."

This has raised the issue of users automatically 'opting in' without first understanding what they are accepting, rather than automatically 'opting out' of questionable features.

Response

Quechup responded by changing how it operated its service and belatedly reassuring customers it was not acting maliciously, even if irresponsibly.

  1. Quechup changed how its address book check worked within days, [8] clearly giving members the option of which contacts, if any, they wanted to invite.
  2. Quechup adopted Windows Live ID Delegated Authentication, enabling Live and Hotmail users to grant limited access by logging in directly on Microsoft's secure servers. [9]
  3. Quechup is a member of SenderScore [10] the world's most comprehensive database of email sender reputation.
  4. Quechup fully complies with Microsoft's Sender ID Framework for email authentication and uses SPF records. [11]

The Quechup affair encouraged calls for open authentication through an OpenID system such as Yahoo's BBauth, which would allow a user to grant limited access to their data, without providing passwords directly to a website. [12] Indeed Quechup adopted Windows Live ID Delegated Authentication, an OpenID system for Windows Live and Hotmail users.

Fake invitations

In a more recent development, technology journalist Robert X. Cringely raised the possibility that Quechup may be sending fake dating invitations to subscribers that attempts to get them to sign up to a premium service. In his article, Cringely stated that it was not certain if these fake e-mails were the work of what he called a "rogue Quechup affiliate who gets a commission for sign ups" or a more sophisticated automatic spam operation. [13]

See also

Related Research Articles

Email Method of exchanging digital messages between people over a network

Electronic mail is a method of exchanging messages ("mail") between people using electronic devices. Email entered limited use in the 1960s, but users could only send to users of the same computer, and some early email systems required the author and the recipient to both be online simultaneously, similar to instant messaging. Ray Tomlinson is credited as the inventor of email; in 1971, he developed the first system able to send mail between users on different hosts across the ARPANET, using the @ sign to link the user name with a destination server. By the mid-1970s, this was the form recognized as email.

The Simple Mail Transfer Protocol (SMTP) is a communication protocol for electronic mail transmission. As an Internet standard, SMTP was first defined in 1982 by RFC 821, and updated in 2008 by RFC 5321 to Extended SMTP additions, which is the protocol variety in widespread use today. Mail servers and other message transfer agents use SMTP to send and receive mail messages. SMTP servers commonly use the Transmission Control Protocol on port number 25.

Various anti-spam techniques are used to prevent email spam.

SenderPolicy Framework (SPF) is an email authentication method designed to detect forging sender addresses during the delivery of the email. SPF alone, though, is limited to detecting a forged sender claim in the envelope of the email, which is used when the mail gets bounced. Only in combination with DMARC can it be used to detect the forging of the visible sender in emails, a technique often used in phishing and email spam.

Internet security is a branch of computer security specifically related to not only Internet, often involving browser security and the World Wide Web, but also network security as it applies to other applications or operating systems as a whole. Its objective is to establish rules and measures to use against attacks over the Internet. The Internet represents an insecure channel for exchanging information, which leads to a high risk of intrusion or fraud, such as phishing, online viruses, trojans, worms and more.

Email authentication, or validation, is a collection of techniques aimed at providing verifiable information about the origin of email messages by validating the domain ownership of any message transfer agents (MTA) who participated in transferring and possibly modifying a message.

Message submission agent

A message submission agent (MSA) or mail submission agent is a computer program or software agent that receives electronic mail messages from a mail user agent (MUA) and cooperates with a mail transfer agent (MTA) for delivery of the mail. It uses ESMTP, a variant of the Simple Mail Transfer Protocol (SMTP), as specified in RFC 6409.

Disposable email addressing, also known as DEA or dark mail, refers to an approach where a unique email address is used for every contact, entity, or for a limited number of times or uses. The benefit is that if anyone compromises the address or utilizes it in connection with email abuse, the address owner can easily cancel it without affecting any of their other contacts.

Email harvesting or scraping is the process of obtaining lists of email addresses using various methods. Typically these are then used for bulk email or spam.

Emailtracking is a method for monitoring the delivery of email messages to the intended recipient. Most tracking technologies use some form of digitally time-stamped record to reveal the exact time and date that an email was received or opened, as well the IP address of the recipient.

Outlook.com

Outlook.com is a personal information manager web app from Microsoft consisting of webmail, calendaring, contacts, and tasks services. Founded in 1996 by Sabeer Bhatia and Jack Smith, Hotmail was acquired by Microsoft in 1997 for an estimated $400 million and relaunched as MSN Hotmail, later rebranded to Windows Live Hotmail as part of the Windows Live suite of products. Microsoft phased out Hotmail in October 2011, relaunching the service as Outlook.com in 2012.

Gmail interface

The Gmail interface makes Gmail unique amongst webmail systems for several reasons. Most evident to users are its search-oriented features and means of managing e-mail in a "conversation view" that is similar to an Internet forum.

mail.com

mail.com is a web portal and web-based email service provider owned by the internet company 1&1 Mail & Media Inc., headquartered in Chesterbrook, Pennsylvania, USA. 1&1 Mail & Media Inc. is a subsidiary of United Internet Group, a publicly listed company based in Germany which is considered a pioneer of online communication.

The X-Originating-IP email header field is a de facto standard for identifying the originating IP address of a client connecting to a mail service's HTTP frontend. When clients connect directly to a mail server, its address is already known to the server, but web frontends act as a proxy which internally connect to the mail server. This header can therefore serve to identify the original sender address despite the frontend.

EmailTray is a lightweight email client for the Microsoft Windows operating system. EmailTray was developed by Internet Promotion Agency S.A., a software development company.

Microsoft account

A Microsoft account or MSA is a single sign-on Microsoft user account for Microsoft customers to log into Microsoft services., devices running on one of Microsoft's current operating systems, and Microsoft application software.

People tend to be much less bothered by spam slipping through filters into their mail box, than having desired e-mail ("ham") blocked. Trying to balance false negatives vs false positives is critical for a successful anti-spam system. As servers are not able to block all spam there are some tools for individual users to help control over this balance.

SmartScreen is a cloud-based anti-phishing and anti-malware component included in several Microsoft products, including Windows 8 and later, Internet Explorer, Microsoft Edge and Outlook.com. It is designed to help protect users against attacks that utilize social engineering and drive-by downloads to infect a system by scanning URLs accessed by a user against a blacklist of websites containing known threats. With the Windows 10 Creators Update, Microsoft placed the SmartScreen settings into the Windows Defender Security Center.

A mailbox provider, mail service provider or, somewhat improperly, email service provider is a provider of email hosting. It implements email servers to send, receive, accept, and store email for other organizations or end users, on their behalf.

A web beacon is a technique used on web pages and email to unobtrusively allow checking that a user has accessed some content. Web beacons are typically used by third parties to monitor the activity of users at a website for the purpose of web analytics or page tagging. They can also be used for email tracking. When implemented using JavaScript, they may be called JavaScript tags.

References

  1. Saul Hansell Social network launches worldwide spam campaign New York Times, 13 September 2007
  2. Cashmore, Pete (2 September 2007). "Are You Getting Quechup Spammed?". Social Media. Mashable . Retrieved 3 March 2010.
  3. Had an invite from Quechup? Jemima Kiss Digital Digest Monday 10 September 2007 GuardianUnlimited , Accessed 23 June 2008
  4. The Quechup Social Networking Platform: IDate Corporation Updates Quechup's Address Book Feature Archived 1 January 2008 at the Wayback Machine Press release, Newbury - Berks - UK - 18 September 2007
  5. Quetchup = Kvetchup Archived 14 October 2007 at the Wayback Machine Saturday, 1 September 2007 Digital Flotsam , Digitalflotsam.com.
  6. Privacy policy quechup.com, Accessed 10 September 2007
  7. Quechup And Mass Hysteria Archived 5 October 2007 at the Wayback Machine - Chrishambly.com, 2 September 2007
  8. Do social network sites genuinely care about privacy? Charles Arthur The Guardian Thursday 13 September 2007, Accessed 13 September 2007
  9. Windows Live ID Delegated Authentication grants limited access to users data without providing passwords directly to a website.
  10. Lookup for Quechup.com SenderScore reputation database covering email senders
  11. The Sender ID Framework is an e-mail authentication technology Archived 11 December 2008 at the Wayback Machine - Microsoft Sender ID, Accessed 9 December 2008
  12. OAuth: Open Authentication Comes Closer to Reality Archived 11 October 2007 at the Wayback Machine O'Reilly Radar Tuesday 09.25.07
  13. Robert X. Cringely Oops, you just spilled Quechup on your pants Archived 12 December 2008 at the Wayback Machine , InfoWorld, 7 April 2008