People search engine Rapleaf revises privacy policy

Following inquiries for an article published Friday by CNET News.com, Rapleaf added nearly 700 words to its privacy policy to show its relationship with TrustFuse, a formerly separate part of its business that sells personally identifiable data about Internet users, which it obtains through various social networks and sites. The company also removed the Web site for TrustFuse.com, which now redirects visitors to a page at Rapleaf.com. The updated Rapleaf privacy policy lets people opt out of its system by sending an e-mail to the company.

Rapleaf CEO Auren Hoffman acknowledged that the changes were prompted by inquiries from News.com and that operating two different brands "was confusing." "When you're a small company you have to move quickly. We make small mistakes and you move to correct those mistakes," Hoffman said.

Despite the swift changes, privacy experts still say Rapleaf may be breaching the privacy of people using social networks like MySpace.com and Facebook, among the other social networks to which it links. Rapleaf lets you retrieve the name, age and social-network affiliations of anyone, as long as you have his or her e-mail address. But what the company does not disclose are the details on how it obtains people's ties to social networks through their e-mail addresses--a nifty feat considering social networks typically don't publish members' e-mail addresses.

Because of this, some people believe Rapleaf's practices may be violating the terms of service of MySpace and Facebook by linking to people's profile pages and scraping data from the sites for commercial purposes.

"It seems to undermine the whole social-network model, where small communities are formed within the larger online world. Users typically decide who to 'friend' and who not to friend. But if companies have found a way to scarf up e-mail addresses and affiliations, then that's serious and the Federal Trade Commission should investigate," said Marc Rotenberg, executive director at the Electronic Privacy Information Center, a nonprofit privacy advocacy group.

"Basic privacy rules would require Rapleaf to allow individuals to inspect and correct personally identifiable data that Rapleaf collects," Rotenberg added. "And basic ownership rules suggest that individuals are entitled to any profits that might result from the sale of their data."

Hoffman said his company is trying to respond to such concerns, and Rapleaf plans to make further changes to its site and privacy policy, including eventually giving people access to all of the data it has collected about them so they can manage that information and opt out of its data-collection practices.

Right now, Rapleaf has profiles on roughly 50 million people. According to the company's privacy policies, those profiles might include a person's age, birth date, physical address, alma mater, friends, political affiliations, and favorite books and music, as well as how long that person has been online, which social networks he frequents, and what applications he's downloaded.

In interviews this week and last, Hoffman said the company obtains data on people from Web sites including social networks, and soon, blogs. The company does not have partnerships with any social network, including MySpace and Facebook, to obtain member profile information, including e-mail addresses, he said. Rather, Rapleaf may use the e-mail search features at these social networks to find people's profiles. For other networks, the company uses "proprietary methods," he said.

But in a review of user agreements at various social networks, Rapleaf's business practices appear to violate the terms of service at MySpace and Facebook, among others.

For example, MySpace's terms of service state that MySpace services are for the "personal use of members only and may not be used in connection with any commercial endeavors except those that are specifically endorsed or approved by MySpace.com."

"Illegal and/or unauthorized use of the MySpace services, including collecting usernames and/or e-mail addresses of members by electronic or other means for the purpose of sending unsolicited e-mail or unauthorized framing of or linking to the MySpace Web site is prohibited," according to the social network's terms of service.

A MySpace representative did not immediately respond to a request for comment about Rapleaf.

Similarly, Facebook's terms of service state that all content on the site is the property of Facebook and its users. "No site content may be modified, copied, distributed, framed, reproduced, republished, downloaded, displayed, posted, transmitted or sold in any form or by any means, in whole or in part, without the company's prior written permission."

Facebook spokeswoman Brandee Barker added, "If someone gathers Facebook user data by circumventing our privacy controls, then they are in violation of our terms of service." She did not directly address whether Facebook executives believe Rapleaf violated those terms.

Hoffman said he didn't believe his company's practices were in violation of these terms of service. He added that any search engine that indexes profile pages of MySpace or Facebook violates the user agreements of these sites. "Almost everything you do on these sites is against these terms of service because they're written in such a strict way," he said.

For example, MySpace blocked Photobucket videos and slide shows from being uploaded to its service earlier this year, before eventually announcing that it had acquired the company.

Privately held Rapleaf, whose investors include Facebook backer and PayPal co-founder Peter Thiel, launched in 2006 as a reputation-lookup service. But over the last year, it evolved into a three-pronged service. The first prong is Rapleaf, a people search engine and social network for managing your reputation. Next is Upscoop.com, a similar site that makes it possible to discover, en masse, which social networks people in your contact list belong to. To use Upscoop, you must first give the site the username and password of your e-mail account at Gmail, Hotmail, Yahoo or AOL.

The third business is TrustFuse, which for marketing purposes "perform(s) deep searches on people to enrich data on your users," according to TrustFuse's previous Web site. In other words, TrustFuse packages information culled from sites into a profile and sells the profile to marketers.

According to Rapleaf's new privacy policy, "part of Rapleaf's business model is to help gather information for our clients and give them an opportunity to give their users a better user experience. Rapleaf clients provide e-mail address information on their users for Rapleaf to collect and append data."

That information, including e-mail addresses, is kept secure, according to the company. But Rapleaf said it may collect or maintain such data as the person's e-mail address, physical address and phone number, "demographic, psychographic/interests, friend map/network, Web sites used and other social Web data." It shows links to people's information on Amazon.com wish lists, Bebo, Facebook, MySpace, Classmates, Hi5 and Friendster, among other sites.

EPIC's Rotenberg questions data collection about members of these social networks because many of the users are kids. He added that in the 1960s, when companies first started offering "reputation services," which were called credit reports, "Congress stepped in and passed the Fair Credit Reporting Act to establish some transparency and accountability."