Quechup is one of many platforms to enter the social network arms race since MySpace appeared in 2003. Like many similar sites, Quechup offers members a way to find people they know on the site, as well as invite them to join by accessing address books on other systems: provide Quechup with your Google login and password, and it can grab your contacts via Google's API. Typically other systems include a step where you can include or exclude names from your address book once it's imported. Quechup evidently doesn't do that. Other systems also let you match users already in the system without inviting nonmembers -- again, apparently not Quechup.
Though the system's been operating this way since it was launched in 2005, it caught a lot of blogosphere flak last week for its methods. Xeni Jardin at boingboing was blunt: "Quechup is rotten: don't accept invites." Xeni goes on,
While you were Burning / vacationing / spacing out offline this Labor Day weekend, many folks online were hit with invitations from a social networking service called Quechup that violates your address book, and abuses user trust by spamming all your contacts.
Other bloggers suggested that Quechup had captured email addresses without the user's permission, though a comment thread at Chris Hambly's blog calls other bloggers' complaints "mass hysteria" and clarifies that Quechup is pretty clear about what will happen if you give access to one or more of your address books. Evidently some users expected that customary "include/exclue" extra step -- which does make sense, because not everybody in your address book is your friend.
This Quechup blowup relates to broader issues of data privacy and identity that could fill many columns. The Internet has been mainstreaming for quite a few years now, and as more people spend more time in online environments, more data about them accumulates well outside of their immediate control.
ZDNet has covered systems that claim to let users manage this data: RapLeaf.com and Upscoop.com,, and the related TrustFuse. Rapleaf aggregates information about your reputation -- and this can happen whether you're a Rapleaf member or not, if you're on one of the systems from which it sources data, like Facebook, LinkedIn, Flickr, Multiply or Amazon. Seeing your identity information and a reputation rating on a system that you didn't even join can be pretty strange, no? Well, that data was all out there in more or less public places, just waiting for someone to pull it together.
Once you've checked out your reputation at Rapleaf, you can log into Upscoop, allow access to your address books, and "get the scoop on all of our friends" by learning which social network systems they've joined. Trustfuse finds similar data, massages it, and packages it for marketers. Per ZDNet,
...Rapleaf sweeps up all the publicly available but sometimes hard-to-get information it can find about you on the Web, via social networks, other sites and, soon to be added, blogs. At the other end of the business, TrustFuse packages information culled from sites in a profile and sells the profile to marketers. All three companies appear to operate within the scope of their stated privacy policies, which say they do "not sell, rent or lease e-mail addresses to third parties."
TrustFuse doesn't use data from Rapleaf, but it doesn't have to: it can use the same methodology to build new profiles from the initial data, that is, email addresses -- provided by its customers.
How sinister is this, really? Well, marketing people will tell you that their uses of this kind of data are relatively soft and not particularly invasive, like showing you advertisements that fit your interests. If they're going to show you the ads anyway, this reasoning goes, why not find ways to make them relevant? But if the FBI or NSA uses the same methodology to learn more about you, the practice feels a lot less (arguably) benign.
Which data are yours, and who has a right to use them? It would have been better to have answered this question long ago, and there were some attempts. For instance, the World Wide Web Consortium (W3C) has for years been working on a protocol called the Platform for Privacy Preferences, or P3P. But this has
never been entirely adopted as a standard protocol.
What we need is a usercentric solution that is standard, well understood, and can be implemented as part of the architecture of the Internet and the web. And we need more clarity about how we balance our need to expose our data to get certain kinds of things done (such as purchase transactions or expanding our online social network connections) with our desire to avoid exploitation of that data by individuals, businesses and governments.
Note: After I wrote this article, I learned that Rapleaf made a long post about mistakes they'd made.
here's a cached image in Google of what Xeni Jardin really thinks of Quechup: