(Cross-posted from my personal blog, because it’s more relevant here anyway.)

I spent the morning looking at the security and privacy implications of a common practice on social networking sites: Importing address books. Social networking sites like LinkedIn, Flixster, FriendSter, MySpace, and Facebook depend on large numbers of subscribers to form social networks.

Each of these sites wants the most people, and the most e-mail addresses, possible. But uploading or manually typing in e-mail addresses is a pain for users, particularly the nanosecond-attention-span teens that many of them target. So they try to make it easier to import address books from webmail services like GMail, Yahoo, MSN and others.

And here’s the problem: To do this, you need to tell them your username and password, often in plain text. This is a security risk. After a chat with one of the founders at Flixter (who commented on a previous post) I decided to take him up on his suggestion to check out other social networking sites to see if, indeed, this is the rule.

The results of the research, after the jump.

This chart summarizes my findings, but the details below are more informative.

To understand the details behind all this, read on…

I had a quick dialogue with Joe from Flixster about my earlier post on their address book extraction. He was pretty positive and helpful; but since I’ve received lots of mail and some comments on the post, I wanted to clarify Flixster’s response.Joe said:

1. I wish all the major mail vendors provided a good interface and API for integration. Unfortunately they don’t. What is out there is unfortunately so laborious for the user that the percent of people that get through the process goes WAY down. That is why almost all consumer sites – especially teen centric ones like us – build their own integration. I certainly hear your fears – but its what everyone does because the other approach just doesn’t work. Check out myspace/bebo/facebook/slide/yelp/linkedin/etc. Flickr is a very different demographic – didn’t really depend on viral email – and thus is unfortunately the exception rather than the rule.

2. you are right about encrypting login pages. We should do that. Its hard to imagine anyone is out there sniffing packets to try to get at some 17 year olds hotmail account – but as we grow we do need to tighten up such things. I can’t promise it’ll happen right away – we have lots of stuff to fix/improve – but I’ll put it on the list.

A friend of mine who’s one of the world’s leading security and privacy policy people (really; if I told you who he is you’d freak out) had this to say on the subject of social networking sites and security:

Interesting? No. Remarkably stooopid? Yes. Do others do it? Yep, cheap, unsophisticated and lazy are a powerful combination.

Nothing new here. There are plenty of convenience tools that generate unique passwords for every site you visit, store them securely, and let you remember one without ever sharing it or having to remember others. At a consumer level, this could really work to the general good. But even this has proven too sophisticated or “time consuming and too much bother” to gain traction.

Technology can’t overcome stupidity and sloth.

So on the SSL point, we’re agreed: Flixster should fix that, and fast, if they want to address potential snooping of private data when people access the site from a shared location. So, as it turns out, should several other sites, in particular MySpace.

The bigger issue is giving the social networking site access to your personal email account. Note that there is also a big difference between mining the account for addresses, and sending from that address. If a site uses GMail, or Yahoo, or someone else to send messages on its behalf, then the user that gave it permission to do so is violating the terms of service of their e-mail service. It’s unclear whether anyone does this. But even giving a third party your credentials may be a violation (and the services should clarify this.)

Yahoo’s terms of service say that “You are responsible for maintaining the confidentiality of the password and account and are fully responsible for all activities that occur under your password or account.” and GMail says “You are responsible for maintaining the confidentiality of your Service password and account, and are responsible for all activities that occur thereunder.”

I did a quick (unscientific) comparison of several popular social networking sites:LinkedIn lets me download a piece of software that mines my Outlook contact list and sent mails, then shows me a list of people who it found and lets me select some of them to upload to LinkedIn. But they also have a webmail address book import.

MySpace used to allow webmail address book import and promoted it openly. But several users have reported that they no longer link to it, possibly for security reasons. Nevertheless, the page is still there and appears to work.

Flickr seems to have no webmail address book import, and entries on their help page say that there’s no way to do it currently. Note that Flickr is owned by Yahoo, and they recently merged Yahoo and Flickr user accounts, so they already have the Yahoo webmail user database at their disposal (in a secure fashion.)

Friendster has a webmail address book import.

As I mentioned in that previous post, Flixster has a webmail address book import, no SSL, no terms of use and no pledge not to store the username and password beyond the retrieval.

Facebook has a webmail address book import.

I also looked at Plazes, which doesn’t have webmail address book import. Plazes is noteworthy, however, for using the Flickr federated API and so I mention it here even though it’s not strictly a social networking application.

Here’s a table that summarizes several facts about each site. Note that SSL encryption isn’t relevant if you’re not doing webmail account import (so it’s marked N/A.)

Using this data, I’ve concluded that there are several levels of Web 2.0 invite “maturity”, from most private to least private.

1. Manual entry of invitees, either by typing or by uploading a .csv. In this model, which is the most onerous and time-consuming, users have to explicitly include addresses to share and the social networking site has no access to either their address book or their webmail account.
2. Desktop client download, which scours accounts and address books, but then submits what it’s found for approval by the user. LinkedIn is an example of this. In this model, the social networking site has access to their address book but the user can exclude addresses. The default, however, is to include all.
3. Social Network website using a federated API (like Plazes does for Flickr, for example) with limited access to the address book but without the ability to send mails or log in. While the right model, the “address book wars” going on between mail providers like MSN, Yahoo, and GMail make it unlikely this will get sorted out (as the folks at Flixster point out.)
4. Giving the Social Network website your login information, then having it check your address book unfettered. This is scary. Some sites pledge not to store your information beyond the duration of the login-and-download process (slight better), while others make no such pledge (wrong, and probably a violation of P3P).
5. The Social Network website using your mail system to send messages (which is nasty, but there’s nothing stopping them from doing this if you allow [4]). Nobody’s doing this yet from what I can tell (I dug through some invite mail headers to check and they all seem to originate from the provider’s address.) This is also bad because it makes it hard to filter based on source in the case of spam.

Here’s my handy-dandy chart ranking the various services surveyed here, with a proposed scale of privacy. The terms at the top are subjective and mine entirely.

From this quick study:

• MySpace should disable that page they’ve stopped linking to if they’re serious about security.
• MySpace, Flixster, Facebook, and Friendster all need to implement SSL
• Flixster and MySpace need to state explicitly that they won’t store webmail usernames and passwords beyond the act of importing the address book
• The major mail companies need to look long and hard at the practice of webmail address book importing.

In my opinion the “free ride” on user address books is going to stop fairly soon, once one of the smaller, less well operated social networking applications has a security breach or violates a mail provider’s terms of service in some egregious and visible way. But the social networking sites are such a draw for mail traffic (which in turn can be monetized through web advertising) that it’s going to take a widespread violation of privacy for the mail services to do anything.