Is Flixster Using Deceptive Viral Practices?

Talaria writes "The social networking movie review site Flixster is requesting their users' AOL, Gmail, Yahoo and Hotmail passwords, and then using them to access users' address books and send 'invitations' to join Flixster, making them appear to come from the user. The password prompt screen includes the ISP's logo right next to the password prompt. Rather than hiding this little 'feature,' Flixster brags about it in an interview after receiving $2 million in venture funding earlier this year." American Venture Magazine notes: "...such practices are becoming increasingly... common as new and even established web sites look to attract visitors without expensive marketing campaigns and a hefty advertising budget."

Phishing made easy

[the_doctor_23]

After spending time and again to train our users not to give out passwords and other sensitive information, this feels like a smack in the face.
As this practice gets more common, people will lower their guards (if they had them in the first place) and become conditioned to give out their password to anyone who asks.
I can already hear them say "... but the website asked me for it... was that wrong?" *sigh*

Re:Facebook does this too.

[scsscs]

The article makes it sound that way but it's not the case. They do prompt you to select which contacts to send an email to.

Re:Facebook does this too.

[Tim+C]

The point remains that not only do these sites ask for your email account password, but people actually let them have them. I personally find it utterly incredible that they even ask; this is so open to potential abuse that I can hardly think where to start. Sure, you can always change your password if they do start to abuse it (if they don't change it first!), but by then the damage may already be done.

Exactly; not new

[blowdart]

sms.ac did exactly the same thing; but didn't ask permission to email people. Whilst you'd think people would know better even Joi Ito got caught by this, what's worse is they spammed before the signup process was complete. Joi immediately quit using the service and blogged a public apology, referring to sms.ac as spammers. Next thing you know they sent him a cease and desist demanding Joi stopped calling them spammers.

Here's how to stop these scams

[bocaJWho]

Google and other mainstream mail-service providers can put a stop to these messages pretty easily. Sending these messages violate several points in gmail's Terms of Use and Program Policies. Specifically:

-Section 2. Personal Use: "The Service is made available to you for your personal use only."
    I see two violations here. First of all, they are giving the use of the service to someone other than themselves, violating the word "your". Secondly, they violate the word "personal" - this is clearly a business application
-Section 3. Proper Use: "... Your use of the Service is subject to your acceptance of and compliance with the Agreement, including the Gmail Program Policies ..."
    Violations of the program policies include:
    - "Generate or facilitate unsolicited commercial email ("spam"). Such activity includes, but is not limited to ... selling, exchanging or distributing to a third party the email addresses of any person without such person's knowing and continued consent to such disclosure ... Interfere with other Gmail users' enjoyment of the Service" [spam certainly interferes with my enjoyment of gmail].
-Additionally in Section 3: You shall not "(i) use the Service to upload, transmit or otherwise distribute any content that is unlawful, defamatory, harassing, abusive, fraudulent, obscene, contains viruses, or is otherwise objectionable as reasonably determined by Google;" Again, I find spam harassing.

Given these violation, Google would be well within their rights to terminate the accounts (actually, according to the Terms of Use, they can do that whenever they feel like it, but lets assume they don't want to look too evil). Alternatively, They could send out notices that they will terminate any accounts that have been violated if they don't change their password in the next 10 days. Since so many people would lose, or face impending loss of their email accounts, services such as Flixster would suddenly have to find a new business model.

While I didn't check, I would bet hotmail, yahoo mail etc. have similar terms of use.

Even if Flixster decided to keep being an ass and collect passwords anyways, that would just mean that people stupid enough to give out their passwords would no longer have email accounts. Either way, I see no loss. Get to it Google et al.