Two months ago, we had someone essentially spam css-discuss by sending a social networking invitation to the list. Now, I’m all for making connections, but inviting close to 8,400 people all over the world to join your favorite new social graph seems a bit, well, anti-social. Further, there was a statement right in the invitation that sending it to someone not personally known was an abuse of the service. Regardless, it was a violation of list policies, so we booted the offender from the list. I followed the “never send invitations to this address again” opt-out link and reported the offender via the abuse reporting address.
I very quickly got back a reponse from the team, expressing regret over what had happened and promising to take care of it. I suggested they domain-block css-discuss.org and webdesign-l.com (you’re welcome, Steve), thanked them for being so responsive, and that was the end of it. Until a few days later, when I got personally spammed from the same user account. I reported them again, this time with a bit of snark, and opted myself out. I didn’t hear a word from anyone.
Of course, as you’ve guessed from the title, the site in question was Shelfari. And thanks to what I’m now finding out about their practices, it’s quite possible—even probable—that the offender was Shelfari itself.
What we have here is a clear case of bad design causing negative ripple effects far beyond the badly designed site. In the case of css-discuss, over eight thousand people got spammed through a members-only list they’d joined on the promise of high signal and low noise. I expelled a member of that community as a result of what a site did for them thanks to bad UI. I feel bad about that. Had I known, I might have put the account on moderation until they could be reasonably sure things were cleared up with Shelfari instead of just booting them. So I’ve tracked down their address and apologized, which seems the only honorable thing to do.
It may also be the case that bad ethics are as much to blame here as bad design. This is much harder to assess, of course, but the fact that the opt-out action was completely ignored makes me much less likely to chalk it all up to a series of misunderstandings. Even if the Shelfari team was trying to be good actors and bungling the job, it’s little wonder they’re being hung with the spammer tag (the “Scarlet S”?). Automatically using people’s address books to spread your payload is a classic worm-spammer technique, after all.
Given all this hindsight, I’m definitely intrigued by the following passage from the mail they sent me on 14 September:
We make it super easy to invite, but some people just send to all, which isn’t really what we want.
In other words, the very thing they’re apologizing for now, the thing that has caused such a recent uproar, was known to them no later than two months ago. So yeah, no surprise that a whole bunch of folks are not cutting Shelfari even one tiny iota of slack.
Anyway, the bottom line is this: if you’re signing up for a social networking site and they offer to contact people you know or import your address book or things of that nature, be very cautious. And be doubly cautious if you’re signing up for Shelfari.