Trojan Marketing: Evite, DoubleClick, and the rest

Exposing friends to Trojan Marketeers

Would you sign a friend up with a telemarketing or junk mail operation? Would you give their phone number or home address to a corporation you know little about? Do you want your friends to be tracked while they browse the Internet by a stealthy network of advertisers, spammers and worse?

Of course not. Then why are millions of people giving their friend's email addresses to corporations via an ever-growing range of web forms? They know that email addresses are the source of more pain in terms of spam than junk mail or telemarketers (thanks to do-not-call lists). But more and more I'm getting email from "evite" (really TicketMaster), greeting card companies, advocacy organizations, various media corporations, so-called "social networks", etc. Why? Because a friend knows my email address and wants to invite me to a party, convince me to join their cause, share a news story, or get me to sign up for something.

My friends mean well, but what they don't know is how much information can be easily tracked over the Internet. The corporations, networking with their "partners", can find out how and when I receive the message (via "web bugs"), even if I don't respond, or look at any attachments. And my friends don't know how easy it then is for the corporate networks to find out not only what kind of computer and software I use, but also to look up many of the web pages I browse and products I've expressed interest in, both in the past and for years into the future, what sorts of queries I enter into many search engines, and other personal information about me.

Most corporations deny that they currently track things to this extent, and their "privacy policies" often sound innocuous. But there are few legal limits on this sort of tracking. Most people don't know the implications of what the privacy policys allow and don't realize that the policies can be changed whenever the web site owners like, e.g. when they are strapped for funds or get bought-out. And of course the ever-inquisitive agents of the FBI can request this sort of information without a court order these days. And the corporations are forbidden to let anyone know about that....

In each case, the normal way to communicate would be for my friend to just directly send me email. Every email client and web browser has a facility to forward a web page ("Send Page") directly to whoever you want. But instead they succumb to the convenience offered by a web page that presses them to type in the addresses of their friends so the message can be sent on their behalf. The message, best described as "trojan marketing", often gets past my spam filters because the corporation doesn't send it using a corporate address, but instead substitutes the email address of my friend ("with their consent").

It is fine for people to use their own private web sites to help them plan parties or collaborate with their friends, and many do. But the trend is for highly-promoted commercial web sites to tie themselves together with services like DoubleClick (see below), so that your activity on shopping sites, social networks, financial sites, news sites, etc. can all be correlated, with little or no legal restrictions in (especially in the US) on what they can do with the information.

Bottom line:

Now for some cases in point.


As documented at Justin Ryan's blog entry Extra Spam, Hold the Quechup, the social networking site Quechup misleads you into thinking it is safe to let Quechup analyze your address book to find out which of your friends are already members of Quechup. But after you give them your address book, they spam all your friends, claiming you authorized it. That's a good way to lose friends....


Evite shares most of these "trojan marketing" and privicy problems and more. Note that they are owned by TicketMaster, the monopolists, and read this news story about them and spam: Ticketmaster privacy policy slammed


For more information on DoubleClick and the breadth of information they receive from millions of people using thousands of web sites, see Politech - iFriends replies to Brill's Content article on privacy, web bugs.

See also the Web Blooper of the Month from UI Wizards, or the much less polite and more technically informative evite complaints from Jaime Zawinski, a well-known Internet pioneer.

Abusive forms of Viral Marketing

Viral Marketing is the technique of getting your customers to help spread your message. As long as it isn't deceptive and doesn't hijack vulnerable computers, it is an ethical marketing practice.

When a web site asks people to share email addresses of their friends, warning lights should start to flash. If they have a privacy policy that allows them to retain those email addresses (as nearly all do), that should be plainly disclosed right on the form where the addresses are entered.

Finally, using intrusive techniques like web bugs, and deceptive techniques like easy-to-overlook "opt-out" check boxes is clearly unacceptible. It becomes Trojan Marketing, which should be shunned.

Since most people can't easily tell the difference, I urge a great deal of caution. I hope my friends don't ever share my address unless they've done enough research on the company to know whether they use these techniques. But that's a pain, and it would nearly always be safer and more personal to just forward the message themselves.

See also

Neal McBurnett
Last modified: Sun Oct 21 22:36:25 MDT 2007