Non-Member Access Granted by Grouply

Reportedly Grouply has “fixed this,” but given their sloppy work in having allowed it in the first place, how can we trust them as they keep saying we should do just because they have “TrustE Certification” (as if that is any guarantee of safety).Posted here by permission of the original author:
————————————————-Through testing I have found that when a member pending approval in a Y! Group joins Grouply.com, that person shows up by default in Grouply as if they were already a member of the Y! Group, and is thereby able to see a list of other Grouply users in that Y! Group.

In fact, even before the pending member was approved, Grouply.com changed its email address to @ grouply.com as displayed in the Pending Member queue.  In the testing I did, that change was accompanied by a change of the test member’s email delivery mode from Web-Only/No Email to Individual Emails.

The email address originally reported to the groups’ moderators as that of a pending member changed before the moderators approved it.  I understand that this is indirectly caused by a volitional act of the pending member, but there is too much likelihood that the member will not understand what is happening, and some group moderators will understandably reject the member on certain grounds when they do something like that.  It seems untoward at best that Grouply would do anything to interfere in moderators’ processes for evaluating and approving new members.  That Pending Member queue is private and confidential.  Grouply.com should not be altering it in any manner whatsoever.

I understand that it can be argued that Grouply acted on behalf of the pending member, with their permission, but it is something like a “back door” type of activity that Yahoo! should not allow, and Grouply.com should not pursue.  It is a step in the direction of exposing Yahoo! Group moderator control of their group to
interference by parties unknown to them.

In my testing, the member pending approval was not able to see group messages yet, but I did not stick around long to wait to see if they eventually would (I know that Grouply says they cannot if they are not an approved member), as I feel that my testing activity may be further exposing the group to compromise of security and privacy.

[NOTE:  ANOTHER MODERATOR FOUND THAT INDEED A PENDING, NON-APPROVED MEMBER **WAS** GRANTED ACCESS TO THEIR MESSAGE ARCHIVE BY GROUPLY, AND GROUPLY CEO MARK ROBINS PUBLICLY ADMITTED IT AND SAYS IT HAS BEEN FIXED.  BUT KNOWING THEY MADE SUCH A GRIEVOUS ERROR, HOW CAN WE TRUST THEM TO NOT DO IT AGAIN, OR TO NOT DO EVEN WORSE THINGS?]

It is entirely unsatisfactory and highly disconcerting that Grouply’s activity compels concerned group owners to have to use the Grouply service to find out how it may be interacting with private, restricted group activity.

In my testing, the member pending approval was able to see the identities (full names, photos, personal data and private, non-grouply.com email addresses) of other members already in the group who are Grouply users.  I have not verified this for certain, but it appears that those existing members using Grouply probably can also see the new pending member as if they were already a member.

In my view, this constitutes unauthorized access and usage of the group’s Member List and Pending Member queue.  It is a breach of security and privacy.  I intend to file an abuse report with Yahoo! about it, and write separately to Yahoo! executives and managers about it, though I will wait a bit to see if Mr. Robins will stop this behavior first, and prevent it from happening again.

The Pending Member queue is confidential between group membership applicants, Yahoo! and the group owners/moderators.  Pending Members also must not be allowed to see any content of the Member List of a group that restricts view of the Member List.  That Member List is confidential data.  For Grouply to make any portion or derivative of that content available to NON-MEMBERS (such as ones pending approval) is abuse.  It is especially disturbing that Grouply displays to a pending Y! Group member not just a Yahoo ID (which Grouply does not display), but personal names, photos, email addresses and other personal data of and about the group’s members who use Grouply.

I understand that Grouply members can restrict view of their information within the Grouply system, but the fact is that most of them do not, from what I saw in my testing, and I feel strongly that Grouply.com has no right to inform a pending group member of ANYTHING about the presence of any content on the group’s Member List, even if it is NOT set for restricted view, because if it is to be viewable at all, it should only be via the Yahoo! Groups service.I see no honor at all in any person or service scraping data from Yahoo! Groups Member Lists, for any purpose at all.  Legal or not, it is wrong, and I find it easily construed as a Yahoo! TOS violation.
Advertisements

Comments are closed.

%d bloggers like this: