I've touched upon the subject of end user education a number of times over the years in this newsletter. Last week I came across an interesting story that once again points out that such education is paramount, as are strict company policies that restrict Internet use from systems that store company data, including privately owned computers.
A relatively new social networking site, Quechup, is operated by iDate and is essentially yet another online dating site. If you sign up, you might take time to read Quechup's privacy policy (at the URL below), which is puzzling if not outright ridiculous.
http://quechup.com/privacy.php
It reads in part, "Please note that by visiting Quechup.com.com you are accepting the practices described in this privacy policy and conditions of use." I fail to comprehend how someone could possibly agree to a policy they can't even review until after they land on the site where it is stored.
Scanning the privacy policy led me to no information about how Quechup might gather information from my computer and use it to Quechup's advantage. However I did find a clause that reads, "you are not licensed to add a Quechup.com member to your mail list (email or physical mail) without their express written consent after adequate disclosure." I found that clause extremely interesting, and you'll see why in a moment.
If you sign up for an account, you're presented with the following message (as of September 6, 2007): "Congratulations! Welcome to Quechup. Find out which of your friends are already members. Choose the address book with the most contacts and we'll search for matches so you can add them to your friends network and invite non Quechup members to join you. By inviting contacts you confirm you have consent from them to send an invitation. We will not spam or sell addresses from your contacts. See our privacy policy. Your username or password will not be stored or saved."
Reading that text carefully, you might draw the conclusion that you have total control over who among your contacts becomes invited to use Quechup. But according to an anonymous blogger, Quechup actually harvests email addresses from your email address books, including those stored in Google Gmail, Yahoo! Mail, MSN Hotmail, Microsoft Outlook, and Outlook Express. After harvesting all your addresses, Quechup proceeds to send messages to them inviting them to join Quechup. Making matters even worse, Quechup reportedly causes the invitations to appear to come from you!
You can read more about this problem at the anonymous blogger's Web site at the first URL below, then read something of a defense of Quechup at another blogger's site, at the second URL below.
http://www.sparehed.com/hold-the-quechup/
http://www.chrishambly.com/content/quechup-and-mass-hysteria
Quechup's choice of wording in areas of its site is far less than crystal clear, and its behavior is dangerous to businesses because the company harvests what very well might be extremely private contact information. This could lead to embarrassing moments in which business contacts suddenly receive invites to a dating site that appear to come from your employees. Imagine this happening from a company PC on your network or maybe a privately owned PC that contains address information that's used for company business. It isn't a pretty picture.
So once again, we see that end user education is extremely important. If you're going to allow some amount of personal Internet use from company networks or allow users to store company data on private computers, then you're faced with a considerable risk, as Quechup's practices make clear. It might be safer to disallow some or all personal Internet use or limit it to a select few computers specially designated for such use.
Register
