Grouply Talk 2

February 18, 2008

[Posted here by permission of the author, who asked not to be identified.  Another part of a conversation between two moderators.]

… just some follow-up thoughts.

Almost certainly you have only a few Grouply users who might be affected if you use Grouply’s opt-out/disable access routine just released a couple days ago.  Even in massive groups with over 20k members they had less than one tenth of a percent Grouply users each, as of yesterday.  Most groups with 1k-3k members have only one or two Grouply users in them, so far, if any.

Grouply is still in beta, so it hasn’t caught fire yet … and they have enough problems that it may be some time before they do catch on, if ever.  They’re taking a bit of a beating from vocal opponents to their methods.

Meanwhile, I’m not thrilled about the fact that if even just one group member signs up with them, Grouply.com starts mirroring the group’s entire archive and keeps it indefinitely.  Even if you disable access, they still have not installed a means to purge what they had already captured of your archive.  I ran a test with a group that had only one message posted, and it did not get deleted after I disabled access.  They say they are still working on that.

Now I find also that even if a Y! group has its archive access set to mods-only or no access or even no archive at all, Grouply still starts mirroring postings as soon as one member joins them, and makes it available to any/all members of the same group within their site.  That’s an override of moderator control of access to their message archive.  The only way to stop it is for the moderator to use Grouply’s new disable access routine.

Without announcing it to the whole group, you could just quietly disable Grouply’s access, and send a private email to those few Grouply members saying that they can certainly continue as members of your group, just not with their grouply.com email address.

To find them, search for “grouply” in Management | Memberships.  As it stands now, every Grouply subscriber gets their email address for all their groups changed to @grouply.com when they first subscribe to Grouply.  They can change it back later for any group they want, or it will be changed for them by Grouply’s bot if they unsub from Grouply.com, but that search will tell you how many members at least tried it.  I’m sure it won’t be more than a handful in a group your size.

To block Grouply’s access to your group, see:

http://www.grouply.com/owner_controls.php

That also turns off their spam gun for your group (their “Tell Your Groups about Grouply” feature, which sends an advertisement to the group posting address).

Later, if Grouply turns out to be a safe product some day, and becomes popular among YG users (I doubt it), you can go to that link to re-enable access, too.
 

Advertisements

Non-Member Access Granted by Grouply

February 18, 2008
Reportedly Grouply has “fixed this,” but given their sloppy work in having allowed it in the first place, how can we trust them as they keep saying we should do just because they have “TrustE Certification” (as if that is any guarantee of safety).Posted here by permission of the original author:
————————————————-Through testing I have found that when a member pending approval in a Y! Group joins Grouply.com, that person shows up by default in Grouply as if they were already a member of the Y! Group, and is thereby able to see a list of other Grouply users in that Y! Group.

In fact, even before the pending member was approved, Grouply.com changed its email address to @ grouply.com as displayed in the Pending Member queue.  In the testing I did, that change was accompanied by a change of the test member’s email delivery mode from Web-Only/No Email to Individual Emails.

The email address originally reported to the groups’ moderators as that of a pending member changed before the moderators approved it.  I understand that this is indirectly caused by a volitional act of the pending member, but there is too much likelihood that the member will not understand what is happening, and some group moderators will understandably reject the member on certain grounds when they do something like that.  It seems untoward at best that Grouply would do anything to interfere in moderators’ processes for evaluating and approving new members.  That Pending Member queue is private and confidential.  Grouply.com should not be altering it in any manner whatsoever.

I understand that it can be argued that Grouply acted on behalf of the pending member, with their permission, but it is something like a “back door” type of activity that Yahoo! should not allow, and Grouply.com should not pursue.  It is a step in the direction of exposing Yahoo! Group moderator control of their group to
interference by parties unknown to them.

In my testing, the member pending approval was not able to see group messages yet, but I did not stick around long to wait to see if they eventually would (I know that Grouply says they cannot if they are not an approved member), as I feel that my testing activity may be further exposing the group to compromise of security and privacy.

[NOTE:  ANOTHER MODERATOR FOUND THAT INDEED A PENDING, NON-APPROVED MEMBER **WAS** GRANTED ACCESS TO THEIR MESSAGE ARCHIVE BY GROUPLY, AND GROUPLY CEO MARK ROBINS PUBLICLY ADMITTED IT AND SAYS IT HAS BEEN FIXED.  BUT KNOWING THEY MADE SUCH A GRIEVOUS ERROR, HOW CAN WE TRUST THEM TO NOT DO IT AGAIN, OR TO NOT DO EVEN WORSE THINGS?]

It is entirely unsatisfactory and highly disconcerting that Grouply’s activity compels concerned group owners to have to use the Grouply service to find out how it may be interacting with private, restricted group activity.

In my testing, the member pending approval was able to see the identities (full names, photos, personal data and private, non-grouply.com email addresses) of other members already in the group who are Grouply users.  I have not verified this for certain, but it appears that those existing members using Grouply probably can also see the new pending member as if they were already a member.

In my view, this constitutes unauthorized access and usage of the group’s Member List and Pending Member queue.  It is a breach of security and privacy.  I intend to file an abuse report with Yahoo! about it, and write separately to Yahoo! executives and managers about it, though I will wait a bit to see if Mr. Robins will stop this behavior first, and prevent it from happening again.

The Pending Member queue is confidential between group membership applicants, Yahoo! and the group owners/moderators.  Pending Members also must not be allowed to see any content of the Member List of a group that restricts view of the Member List.  That Member List is confidential data.  For Grouply to make any portion or derivative of that content available to NON-MEMBERS (such as ones pending approval) is abuse.  It is especially disturbing that Grouply displays to a pending Y! Group member not just a Yahoo ID (which Grouply does not display), but personal names, photos, email addresses and other personal data of and about the group’s members who use Grouply.

I understand that Grouply members can restrict view of their information within the Grouply system, but the fact is that most of them do not, from what I saw in my testing, and I feel strongly that Grouply.com has no right to inform a pending group member of ANYTHING about the presence of any content on the group’s Member List, even if it is NOT set for restricted view, because if it is to be viewable at all, it should only be via the Yahoo! Groups service.I see no honor at all in any person or service scraping data from Yahoo! Groups Member Lists, for any purpose at all.  Legal or not, it is wrong, and I find it easily construed as a Yahoo! TOS violation.

Goodbye Grouply

February 18, 2008

I obtained permission from the original author of this post.

The original author asked that I insert the foreword shown below.
———————-
Foreword from the original author:

I referred to Grouply as having “super-owner” / back-door access to
Yahoo! Groups.  That may not be technically correct, or may well be
perceived as incorrect by technical experts.  As far as I know and
understand, the access that Grouply has is caused by members
divulging their Yahoo! IDs and passwords to Grouply, not by some
special arrangement between Grouply and Yahoo! (though such an
arrangement may exist also; I do not know).  While it is my opinion
that members surrendering their confidential passwords in this way is
detrimental to their respective Yahoo! Groups’ best interests, and
their own personal interests, and the interests of many YG
owners/moderators, so far Yahoo!’s apparent silence on the matter
seems to indicate that they do not oppose it, despite the Yahoo!
Terms of Service clearly explicit requirement that members preserve
the confidentiality of their passwords.  Grouply’s silence (as far as
I have seen) on this assertion that they have “super-owner” or back
door access granted them by Yahoo! is also disconcerting to me.
————————

Original post in its entirety:

From the publicly accessible message archive at:
http://tech.groups.yahoo.com/group/EmailList-Managers/message/91320

EL-M Moderators: this is my last post on the Grouply topic, so please
indulge me this one more time.

This message below from Mark Robins settles it for me.

Mark, you refer to your service as an email aggregator, but my
groups’ activities are not just an email service.  (By the way, are
you going to start scraping … er, I mean, aggregating … hotmail
too, being just an email aggregator?)  My groups are a social
networking web site service that happens to have email-driven
features.  So you’re not just aggregating email.  You’re scraping web
site content without the permission of the owner (well, that is,
unless Yahoo! gave it to you without telling me), and you obviously
have super-owner access powers that you should not have, for which I
fault Yahoo!, now the reason I’m going back on the market for a
different group service, even if I have to pay an annual fee to get a
truly secure one.

You refer to this matter as your subscribers choosing to have “their”
email aggregated.  That is so contrary to the reality of my groups’
configurations and membership terms that now I can’t help but see the
Grouply concept as delusional.

The content of my restricted group message archive is not THEIR
email.  They don’t own it the way they own private correspondence. 
It is restricted-access web site content that they may receive VIA
email, under terms and conditions established for them by Yahoo! and
me, but the content itself is private, copyrighted by its authors
under law, and restricted from retransmission by the Yahoo! TOS and
by my groups’ internal rules.  It is web site CONTENT before it
is “email,” and my contract with Yahoo! gives me control of that
content in many ways, including ones you seem to think I should
surrender to you.

The members of my group don’t own that content except for the
postings that they write.  They have no right to retransmit that
content to your web site, which is not at all the same as their
privately keeping copies of group postings in private archives in
their private email accounts.

You have no legitimate right to have super-owner back-door access to
fiddle with the controls on my group’s content.  Apparently Yahoo!
has given you that power, or allowed it through neglect, but it does
not make it right, and you don’t seem to care about what’s right, now
that I see you rationalizing away all the real concerns by referring
to it as merely email aggregation.

The group members never had permission in the past (under the Yahoo!
TOS and my groups’ internal rules) to retransmit our restricted
archives to other web sites, so they don’t have any right to give YOU
permission to do it.  And now I will stop them, and make them
understand that if they persist in trying, they will be banned, and I
track their IP addresses so they can’t hide.

I have only just so much time to investigate a security breach before
I decide I have to prevent it from getting worse, or being allowed to
happen again.

You are rationalizing that I should accept your super-owner access to
my group, where you have the ability to override owner controls such
as prohibiting access to my restricted message archive for non-
approved/pending non-members.  Your having now shut that back door to
those pending members doesn’t mean as much to me as the fact that you
had the ability to open it in the first place.  NO EXTERNAL EMAIL
SERVICE PROVIDER HAS THAT ACCESS, and ESPs don’t have members’ YID
passwords to override the fundamental design and structure of my
groups established under a contract with Yahoo! and constituting part
of the basis for a covenant between my groups’ members and me about
how they get to use my groups’ services.  Along comes Grouply
rewriting the terms of the agreements I have in place with my groups’
members and with Yahoo!?  No thanks.

Yahoo!’s silence on the matter is very suspicious.

Soon, after I consult with my attorney about how to get it “just
right,” or maybe have him write the letters for me, formal complaints
will be filed in hard copy with the Federal Trade Commission and my
congressman (about the spamming, or what I suppose is really more
like conspiracy to violate the U.S. CAN SPAM Act of 2003, or being an
accomplice to the violation, since Grouply only gives its users the
spamming gun, but doesn’t pull the trigger, though they remove the
safety lock from the trigger), and with Yahoo (about the super-owner
back door access), and reported to national press media.

No user of Grouply will be allowed to be a member of any of my groups
from now on, and I will do whatever it takes to ensure that,
including requiring that before they are allowed to join, or to
maintain current memberships, they will have to agree to my new No-
Grouply (or UnGrouply) policy in writing.  It won’t take long to
establish this, and I’ve dealt with bigger problems that took more
work than this will take.  I already have a member policy acceptance
process like that in place for my biggest, most important group. 
Nobody gets into my groups without accepting the group rules in
writing before approval … not even Grouply users backed by a
company with special access to the group through a back door.

This is not the first time that I abolished external corporate
interference in my groups.  It will be easier to do the second time
around, and I’ll prepare better for next time.

The only thing that will satisfy me now is for Yahoo! to announce
that they have turned off access for Grouply (and all other such
services) and made it a strictly opt-in feature in the Management
tools of Yahoo! Groups, available only to owners to choose to enable
as a feature.  And I would not enable it in any of my groups.

It’s time for a formally constituted group owners association with a
good legal team and press team working for it.

Again I thank EL-M for hosting this discussion.  It was very
important, and you did a great job.  Thank you.

Goodbye, Grouply.