Loopt SMS Invite Violate User Privacy

As many of you may or may not not no, Loopt the social networking "service" stalks your location wherever you go, and broadcasts it to your friends, but beware of the "invite friends" screen. Apparently a "bug" (yeah right) causes you to invite everyone through SMS spam, and there's no way to unsubscribe either.

Notable bloggers such as iJustine, Merlin Mann, & Veronica Belmont have been affected.

This is what Merlin posted on his tumblr:

The Loopt SMS Mess

[previously, on Kung Fu Grippe]

I have a post underway for 43 Folders on this Loopt.com SMS invite mess. I’m letting the post season for a day or three while I do some necessary fact-checking and try to verify the details of what sounds like a very confusing piece of GUI in the Loopt iPhone app which apparently makes it trivially — even accidentally — easy to send SMS invitation spam to multiples of people whose mobile numbers live in your Address Book. At the recipient’s expense. And without prior permission. And, apparently, without user confirmation. [This is Bad.]

I’m still trying to make sure I understand precisely how this works, but if Loopt is doing anything that involves sending SMSs without the recipients’ prior opt-in — and then refuses to do anything about stopping it — this will deservedly escalate into a pop-the-popcorn, old-school, privacy shitstorm. (And, no, I will not be signing up for Loopt myself because — well — I don’t want to accidentally spam everyone I know. I’m like that.)

Here’s one anecdote for you. Justine Ezarik — who’s had the bad fortune to have to change her phone number numerous times owing to creeps — is just one of the folks who unknowingly sent her phone number and exact location to “a large portion of [her] contact list”.

I’ll give you a minute for that to sink in, because if you’re a connected person, you may want to ponder the consequences of unintentionally sending creepy bullshit to colleagues and business contacts who are too busy to care what you’re “geo-tagging” at a given time. I know, because I’m one of them. Hi.

Justine said:

If there’s one thing that I hate more than anything, it’s sending out invites to a service. Especially one I’ve never tried and haven’t been actively using for more than 15 seconds.

Never once did I see a confirmation message that my friends would be getting an invite. The worst part about it is that my phone number was sent along with every invite as a text message to my friends. I just recently got a new phone number and I haven’t been as free with this as I have been in the past.

Very interesting comment in Justine’s post from Martin May, who is one of the founders of ostensible Loopt competitor, Brightkite. I will quote this in its entirety, because, if this is all accurate, it seems to cement my hunch that the Loopt folks have swallowed a fat, dewy booger with this one. Martin’s comment:

Disclaimer: I am one of the founders of Brightkite.

Thought I’d throw in my 2 cents. First of all, I’d like to say that loopt has done a pretty good job with their app, and you can tell that they’ve put a ton of work into it. Naturally, I think that ours will be better, but I’ll let you be the judge of that when we release it later this month

Concerning SMS spam: I was really surprised to see loopt violate quite a few of the MMA guidelines (http://www.mmaglobal.com/bestpractices.pdf) for SMS programs. The highlights:

1) Through the invite feature, the loopt app sends unsolicited messages to your contacts from their shortcode. According to the MMA guidelines, that’s a big no-no.

2) As some have pointed out, the loopt shortcode (56678) does not respond appropriately to HELP and STOP commands, as required by the MMA guidelines. Those commands are essential, and to be honest I am unsure how loopt got carrier approval without implementing them.

3) I couldn’t find information on loopt’s website detailing how to opt-out, another requirement in the MMA guidelines.

From what I understand, those “guidelines” are actually more than just guidelines, they’re requirements to get carrier approval. When we applied for our shortcode, we spent a lot of time making sure that we get these things right.

All that being said, I am sure that loopt will address those problems very soon. I know first-hand that it can be tough to get things 100% right at launch, especially in this new space, so let’s cut them some slack and give them a few weeks to fix things.

I haven’t yet seen a reason to share Martin’s very civil optimism — Loopt’s responses to people’s very real concerns about this stuff have so far consisted of friendly, beige, and very politely-worded blow-offs. So, the ball’s in Loopt’s court now as far as I’m concerned. I’m standing by, ready to be persuaded that this company has not leveraged my private data to build their userbase. At my expense.

For what it’s worth, deep in the bowels of their “Privacy Notice,” Loopt says (my emphasis in the last sentence):

”INVITE-A-FRIEND INFORMATION”: If you choose to use our invite-a-friend feature, then Loopt will ask you for your friend’s mobile phone number or email address. If you provide a friend’s mobile phone number, then Loopt will automatically send to that friend a one-time text message inviting your friend to join the Loopt Service and to add you as their friend. If your friend’s phone number is on a wireless provider and/or mobile device that is not supported by Loopt, then your friend will not receive this text message until their wireless provider and/or mobile device supports the Loopt Services. If you provide a friend’s email address, then Loopt will automatically send that friend a one-time email inviting your friend to register on the Loopt website. Your friend may contact Loopt at privacy@loopt.com to request that Loopt remove this information from our systems.

Well, that’s nice. You can email them. I sure did.

Friends, my patience with organizations that feel you should have to email them in order to not have your private information abused has passed the breaking point. If Loopt chooses not to see this nonsense as an invasive and potentially costly breach of many peoples’ privacy, then I pity the actual Loopt users who agreed to let these people publicly announce where they are all the time. Suddenly this goes from “potentially kinda creepy” to “Holy mackerel, what the fuck were you thinking?”

Loopt needs to step up, acknowledge this confusion, unconfuse-ify it, and then fix the goddamn hole. Turn it off. Like: quick. Wait for “weeks,” Martin counsels? That would be a real shame. Unless you’re feeling enthused by the prospect of unintentionally sharing your precise location with your exes, your old boss, that weird cat sitter you fired, or the sketchy halitosis dude you met at JavaOne in fucking 1997.

Maybe today I’m simply as old as I feel, but this kind of shit is just bone-chilling to me. And whenever companies shrug and try to make it seem like it’s somehow my responsibility to clean up the shit their half-assed “viral” business model left at my door? Man, that’s just galling to me. Galling.

Listen: if Loopt has something substantial to say about all this (beyond the solicitous spin mode they’re polo-shirting around in right now), I will happily link to it from this modest space. A lot of people I respect seem to love these guys and their app, so I hope the Loopt folks will do the right thing and own up to a seriously bone-headed move. That’s on them.

As I leave for tonight, though, I will once more point you to my thread about this at Get Satisfaction, where a number of people have jumped in to express their own similar frustration with this issue. If you have relevant information to share that would help illuminate what’s going on — especially if, like me, you’ve received an SMS via Loopt from someone you don’t know — I hope you’ll consider adding your thoughts to that thread.

More soon — and thanks for hearing me out.

read more | digg story