There is a clear opportunity for online email providers and social networking sites to limit the damage of phishing and email spam by giving customers tools to regulate the flow of data.

Yesterday, before New York Attorney General Andrew Cuomo suing Tagged.com story broke, I cold emailed a member of the Gmail team:

Gmail could help web security a lot by providing:
1. Authentication (OAuth) to Gmail address book making it clear that you were not providing your Gmail passsword to a 3rd party web site.
2. Default level of access only provided names and salted hashes of email addresses from address book (possibly 3rd party web site part of salt)
3. Allow only a limited number of actual email addresses to be requested in a time period. I’m guessing ~30 would be a sweet spot.

That would seem to be one possible solution. If this is not a good solution, I think it’s important for your team to look to tackle the problem described below in another way.

EXPLANATION

[Background information described in my "Tagged.com Spam? Phishing? Nice Guys? My Personal Story"]

I’ve seen similar UI at othe web services, where everyone in your address book is selected by default. I think there is an awesome opportunity for your team to create an experience that works well for your partners and protects your customers from the type of mistake described above and more importantly from malicious sites.

Some of the problems that I think Gmail and other online email address book and social networking sites should at least take partial ownership by:

• Not allowing 3rd party sites to embed login forms. They should use OAuth or a similar approach. (Even on AppEngine — train us well).
  
• Having a really clear experience about what data you are giving access to (how pissed your friends might be), and a way to provide only limited data.
• Providing salted hashes instead of email addresses, so that a person can find their friends on a 3rd party service without having to hand over the actual email addresses of their friends.

I don’t think I read the Google Chrome Operating System announcement until after I sent that email. When I did read the announcement, I thought about how empowering and freeing it will be for our computing to be in the cloud, but I also thought about problems like this one, and how many scary things can happen when you are no longer hold the container(the harddrive in your PC) for your information and data.  There is a lot of design still to be done to create a safe and friendly experience.

Brad Stone‘s New York Time (NYT) article today “New York Attorney General Sues Tagged.com” begins:

“Turns out our recent article on the spammy social network Tagged.com …”

Rafat Ali‘s paidcontent.org article today “Social Net Tagged Getting Tagged…Er…Sued By NY AG” begins:

“High time someone asked harder questions: Tagged …”

Laura Northrup‘s The Consumerist article today “NY Attorney General Unfriends Tagged.com, Files Lawsuit“:

“… social networking contact-spamming site Tagged.com. …”

As you can see by how those stories start, there is a lot of bad will for Tagged.com. Some weeks ago I was researching this very topic, but did not find the recent Alina Tugend NYT “Typing In an E-Mail Address, and Giving Up Your Friends’ as Well” article about Tagged.com nor did I find Tagged CEO Greg Tseng response on their blog. In my web searches these were buried by years of complaints about Tagged.com phishing and spamming.

I guess, I should go back to the beginning. June 6th, I receive a Tagged.com invite from a dear older family friend,

“[redacted] sent you photos on Tagged Want to see the photos? Please respond or [redacted] may think you said no “

Clicking the link did not take me to photos, but instead to a registration form. The registration did not allow proceeding without providing my login to Gmail, and every person in my address book was selected by default to invite before proceeding. ((Another email account, that I don’t use publicly also received the email invite, and since then — coincidentally I hope — has now received it’s first spam email.))

Oh no! I immediately let the family friend know that they signed up for what seemed to be a phishing and spam site and that it was important to change her passwords. The friend was really upset and explained that she received the invite from a professional friend of hers, and was worried for everyone else that might have received it from her.

I didn’t think of it much again until some weeks later, when she described still being bothered by it, how embarrassing it was, and that she didn’t feel confident using the web any more. She had removed all her photos from Flickr. So, I decided to take another look at Tagged.com and that takes us to all the complaints I described finding above.

I checked the Tagged.com’s site, and was surprised to find the board of directors included Reid Hoffman, Founder & CEO of LinkedIn, and two members of the Mayfield Fund: Raj Kapoor and Allen Morgan. All people I deeply respect.

I scratched my head and tried to look at the situation from different angles. I discovered that Tagged.com has rave reviews from a young audience. That the pushy, in your face Tagged.com experience works for this young audience. I guessed that Tagged.com might be tacky enjoyable like MySpace is to many young people.

So, I decided to reach out to CEO Greg Tseng through a mutual connection on LinkedIn. The email took about a week to get to him, and July 7th I received a thoughtful and apologetic response.

The timing of the lawsuit seems really unfortunately for Tagged.com as it seems like they were already in the process of cleaning up their act. I fear that there is a lot of circumstantial evidence against them, and any lawsuit won’t go well.

Update: Read my next article “Gmail’s Opportunity to Help Protect Against Tagged.com Mistake, Spam, and Phishing“. I think it’s at least as interesting part of the story.