Abusing Your Users' Trust

I signed up for Stockr (not linking it purposefully) when it popped up on ProductHunt the other day. I'm not really interested in the world of stocks, but the idea of stockr is interesting. I signed up to see if any of my friends were on it and how stockr implemented such a novel idea.

"See where friends and experts are investing their money."

Step 1 is sign up using Facebook. Fine. Having worked with the Facebook API, I know just how much information you can glean from a user that signs up using it, but...

"We won't share anything without your permission."

...at least they realize that sharing without my permission is a concern. That sentence alone tells me they're thinking about privacy. NOPE.

The next few pages are dedicated to finding your friends on Stockr. Of course I want to. Just gmail authenticate and we're good. Nope, none of my friends use it already.

*brushes shoulders off* I guess I'm far further on the cutting edge than the rest of my friends. Guess I'm just an early adopter at heart. So cool.

Oh well, at least if anyone else joins, we can be friends on it. I head off to dinner and forget about it. It's not until I leave the restaurant do I take out my phone and check my email. Tons of messages from people asking about stockr and replying to emails that looked like this:

Just an email I sent to my good buddy, Gleb

Stockr emailed my entire address book. Mailing lists, professors from MIT, customers, family, friends, and people I wanted nothing to do with anymore.

Then I started receiving the same email from people. I felt like a jackass. Other people were signing up and stockr was emailing their address books too. I decided to send my first-ever mass email (on purpose, I mean). I actually had to go through my contacts and trim it down so that the emails were less than 500 contacts.

My first ever mass email!

...And the twitter feed really was going nuts. People were pissed. I checked @stockr and there wasn't a peep. How could they not know?

I checked again today, because I wanted my damn apology. I've never angry-tweeted before and I wanted some fallout!!

No peep from them until 3 days after my outrage, then this:

Am I wrong to expect a better apology than this? You somehow wrote an apology without ever admitting fault. Your system caused ME to send invitations that I didn't mean to send? No. Your system sent those invitations; I had nothing to do with it.

I don't recall ever seeing a "Email your entire address book" button that I pressed. Why is this even a thing that you decided to build?

I feel guilty adding Facebook invitation buttons to apps and games that people probably legitimately want to share -- I wouldn't even dream of building something that emailed entire address books without a giant "ARE YOU SURE?" dialog attached.

I'm all for building new things and getting your project out there. I'm sure a lot of hard work has gone into their product, but I will always think of stockr as the site that spammed my address book.

I was embarrassed. One guy even posted a screenshot of my stockr spam on facebook and tagged my boss asking why he was receiving messages like this.

I ended up catching up with a bunch of old friends and colleagues who I hadn't heard from in years, at least, due to my second email. So I guess it's not all bad.

But I'm pretty much never going to sign up with a service using my primary gmail account anymore. Thanks for that.