Biden's $400B vaccination plan Galaxy S21 preorders Google Doodle celebrates basketball inventor Drivers License breaks Spotify records WandaVision review Oculus Quest multiuser support Track your stimulus check

Why are old SpiralFrog users getting spammed?

Records show that the founder used a copy of users' e-mails to help compensate at least one former salesperson, who then sold the list.

Ever since ad-supported music service SpiralFrog shut its doors in March, former users have complained about receiving a glut of spam.

"SpiralFrog seems to have sold their members' e-mail (addresses) to spammers," a CNET reader commented in response to a May story about some of the company's struggles. "I signed up for the service with a unique e-mail address. As soon as the service shut down, I started getting massive amounts of spam sent to that address. Anyone else have this problem? Pretty slimy."

It's still unclear how many spammers obtained a list of e-mail addresses belonging to about 2.5 million registered users of the now-defunct service, as well as how they all obtained the addresses. But it is clear that at least one company obtained the e-mails by paying a former SpiralFrog salesman $8,500, CNET News has learned.

SpiralFrog CEO Joe Mohen authorized former employee Tim Bieber to sell customer e-mails with no privacy restrictions. Bieber's address has been redacted from this document. Greg Sandoval/CNET

A review of SpiralFrog's documents provided by a start-up that purchased the e-mail list shows that SpiralFrog's founder and CEO, Joe Mohen, authorized the sale days before creditors took control of the company's assets on March 13, 2009. Leading up to the sale, Mohen gave the list to Tim Bieber, a former SpiralFrog salesman, as compensation for back wages the company owed him, records show. Mohen did this despite SpiralFrog's promise to protect users' privacy.

"SpiralFrog will not share, sell, or trade personally identifiable information collected at the site with third parties, except as described in this privacy policy," the company said in its privacy agreement. "On a confidential basis only, SpiralFrog may share personally identifiable information collected at the site with corporate affiliates, consultants, or third parties performing a specific service or function on our behalf."

Documents show the sale of the addresses had nothing to do with a company working on SpiralFrog's behalf. Indeed, the sale took place weeks after the music service shut down. Mohen acknowledged to CNET News that there wasn't anything in his agreement with Bieber to prevent the former salesman from selling the list as many times as he wanted, to whomever he wanted. Bieber did not respond to numerous interview requests.

"The users who signed up with SpiralFrog were given the clear impression that their e-mail addresses would not end up in the hands of spammers," according to a former SpiralFrog employee with knowledge of the sale, who spoke on condition of anonymity. "Companies routinely promise to protect privacy and very rarely break it. SpiralFrog kept its promise until the day before shutting down."

In 2000, Arizona Sen. John McCain called for legislation that would prevent bankrupt Web stores from selling their customers' personal information without their knowledge. Greg Sandoval/CNET Networks

In two interviews with CNET, Mohen acknowledged that in March, he "licensed" the user data. Mohen told CNET in June that to the "best of my recollection," the licensing deals complied with SpiralFrog's privacy agreement. Last week, however, Mohen said the agreement he had with Bieber, based in Vancouver, British Columbia, did not go far enough to protect customer privacy.

"In retrospect, I should have added tighter language to that agreement," Mohen said a week ago. "In the later days of the company, Tim Bieber was owed money by the company, and I struck an agreement with Tim to avoid litigation. To satisfy the liability, I licensed to Tim the user database."

Plenty of consumers suspect retailers of secretly sharing their information, but because of the shadowy way in which spammers conduct their business, tracking down the responsible party is nearly impossible. And once an e-mail list falls into the hands of spammers, it can be sold and resold.

Internet users often go to great lengths to protect their e-mail addresses from spammers. The history of the Web, however, shows that for dying start-ups, the temptation is to look upon the data as just another asset to be liquidated. The situation at SpiralFrog is similar to one that occurred when the dot-com bubble burst in 2000.

Nine years ago, CNET News reported that three dot-com failures, including Disney-backed Web store, tried to auction off customer data the companies once promised never to share, such as credit card data and phone numbers. Members of Congress, including Arizona Sen. John McCain, argued that bankruptcy didn't give companies the right to break promises to consumers.

"I'm hanging by (the) ends of my fingernails."
--Tim Bieber, former SpiralFrog salesman, in an e-mail to Mohen

The Federal Trade Commission sued Toysmart and eventually blocked the sale. As part of a settlement, Disney agreed to purchase Toysmart's customer information for $50,000 and then destroy it.

Authorizing the sale
The sale of SpiralFrog's user data began sometime around March 27, when Bieber approached executives at the start-up that purchased the list, according to that company's attorney.

The start-up's lawyer, who has asked to remain anonymous, said that after wiring $8,500 to Bieber on March 31 to obtain the user e-mail list, the company has not shared or sold SpiralFrog's user information with anyone, and it has obeyed all laws in acquiring the list. To prove his point, the attorney said that when Bieber first approached the start-up about selling SpiralFrog's user addresses, executives there wanted proof that he was authorized to sell the list.

That wasn't a problem. Bieber had asked Mohen for written authorization two weeks earlier, documents show.

"Joe, I'll be needing something simple in writing from you authorizing me to (be) selling this database as part of remuneration," Bieber wrote in an e-mail dated March 12, the day before creditors took control of SpiralFrog. "So far, the list is useless without some paper authorizing its resale--even loose paper explaining the nature of how I came across the list...You dig. Let me know ASAP."

Click the image above to read our story on how a fractured management hurt SpiralFrog

Mohen then gave him rights to use the list "for commercial purposes on a nonexclusive basis" for six months. Bieber forwarded the document to the start-up that purchased the list. In addition, the start-up's executives met in New York with Mohen, who confirmed that Bieber had the right to sell the list, the start-up's attorney said.

It is unclear whether Bieber distributed the list to anyone else.

Mohen said SpiralFrog had stopped paying employees sometime in November 2008 and that Bieber had worked for an extended period without receiving compensation. On February 26, 2009, Bieber wrote Mohen that he was prepared to take legal action, if he wasn't paid.

"Joe, hope (you) got good news from your conference call last night. I file a lawsuit next week naming (SpiralFrog) and 3V (the hedge fund that loaned SpiralFrog money for nearly two years), unless you provide me with funds and a payment schedule by end of week...I'm hanging by (the) ends of my fingernails."

Editors' note: Go here to read some copies of SpiralFrog's correspondence.