Want CNET to notify you of price drops and the latest stories?

At Rapleaf, your personals are public

The start-up aggregates social-networking profiles and, through TrustFuse, opens the possibility of selling that data to marketers.

Stefanie Olsen Staff writer, CNET News
Stefanie Olsen covers technology and science.
Stefanie Olsen
10 min read
In the cozy Facebook social network, it's easy to have a sense of privacy among friends and business acquaintances.

But sites like Rapleaf will quickly jar you awake: Everything you say or do on a social network could be fair game to sell to marketers.

Rapleaf, based in San Francisco, is building a business on that premise. The privately held start-up, whose investors include Facebook-backer and PayPal co-founder Peter Thiel, runs two consumer Web sites: Rapleaf.com, a people search engine that lets you retrieve the name, age and social-network affiliations of anyone, as long as you have his or her e-mail address; and Upscoop.com, a similar site to discover, en masse, which social networks to which the people in your contact list belong. To use Upscoop, you must first give the site the username and password of your e-mail account at Gmail, Hotmail, Yahoo or AOL.

By collecting these e-mail addresses, Rapleaf has already amassed a database of 50 million profiles, which might include a person's age, birth date, physical address, alma mater, friends, favorite books and music, political affiliations, as well as how long that person has been online, which social networks he frequents, and what applications he's downloaded.

All of this information could come in handy for Rapleaf's third business, TrustFuse, which sells data (but not e-mail addresses) to marketers so they can better target customers, according to TrustFuse's Web site. As of Friday afternoon, the sites of Rapleaf and Upscoop had no visible link to TrustFuse, but TrustFuse's privacy policy mentions that the two companies are wholly owned subsidiaries of TrustFuse.

According to TrustFuse's Web site, "TrustFuse has pioneered a unique e-mail address based approach to Internet data measurement. (It) provides a framework to learn about new customers, better market to these customers and...to better predict buying behavior." It continues: "We perform deep searches on people to enrich data on your users. And then we put the pieces of the puzzle together to give you the full picture."

In other words, Rapleaf sweeps up all the publicly available but sometimes hard-to-get information it can find about you on the Web, via social networks, other sites and, soon to be added, blogs. At the other end of the business, TrustFuse packages information culled from sites in a profile and sells the profile to marketers. All three companies appear to operate within the scope of their stated privacy policies, which say they do "not sell, rent or lease e-mail addresses to third parties."

And that's right. Marketers bring TrustFuse their own list of e-mail addresses to buy access to demographic, behavioral and Internet usage data on those people, according to the company's privacy policy and sales documents.

Rapleaf CEO Auren Hoffman said the company does not use e-mail addresses and profiles developed by Rapleaf and Upscoop to deliver services for TrustFuse. Rather, TrustFuse's clients, which he said include presidential candidates and Internet widget companies, will bring it a list of e-mail addresses of their clients so that TrustFuse can perform fresh Internet searches on those people. Hoffman said TrustFuse will typically help clients understand which social networks their clients use so that they can market to them there. For example, a presidential candidate might want to know if his or her supporters are on MySpace.com or Facebook so they can approach people in that environment, he said.

"They say to us, 'I already know about her, but can you tell me these one or two other facts about her,'" Hoffman said. In effect, TrustFuse is a matching service between the marketers' e-mail lists and the online behavior of the people on those lists.

That said, TrustFuse's own privacy policy leaves open the possibility of connecting Rapleaf's information to TrustFuse's marketing material. According to the policy, dated August 1, 2007, "Information captured via Rapleaf may be used to assist TrustFuse services. Additionally, information collected by TrustFuse during the course of its business may also be displayed on Rapleaf for given profiles searched by e-mail address."

Apart from the unusual TrustFuse business, Rapleaf is among a new generation of people search engines that take advantage of the troves of public data on the Net--much of which consumers happily post for public perusal on social-networking sites and personal blogs. The search engines trace a person's digital tracks across these social networks, blogs, photo collections, news and e-commerce sites, to create a composite profile. Unlike Google, which might link to the same material over pages of search results or after trying different combinations of keywords, these sites attempt to "normalize" personal data so that it's easily digested by the searcher on one page.

There doesn't appear to be anything illegal about what these companies are doing. No one's sifting through garbage cans or peeking through windows. They've merely found a clever way to aggregate the heaps of personal information that can be found on the Internet. Indeed, in an age where Web sites offer to "pretext" or steal phone records and do complicated records checks for a modest fee, what Rapleaf and sites like it are doing seems modest.

But the average social-network users might have a hard time understanding how this business might affect their life. "The business model of Rapleaf is sufficiently opaque for the average user to have no clue," said John Carosella, vice president of content control at filtering company Blue Coat Systems.

Just ask Dana Todd, a co-founder of Internet ad agency SiteLab, who was concerned about her own profile on Rapleaf, which included many social networks she didn't remember belonging to.

"It's my growing horror that everyone can see my Amazon Wish List. At least I didn't have a book like 'How to get rid of herpes' on there, but now I have to go through and seriously clean my wish list," she said.

"The sites appear to be cool, but what lurks underneath is a powerful force designed to stealthily observe and collect data about you, and develop a marketing campaign to get you to behave the way they want."
--Jeff Chester, director, Center for Digital Democracy

Privacy advocates, of course, have complained about aggregation of personal content like this for years. Put this information in the wrong hands--of say, a stalker--and you could have a problem. In the hands of a government, it's a means to spy; in the hands of a hacker, it's an opportunity for identify theft; and in the hands of a marketer, it's a potentially lucrative business.

That's particularly true because this coalesced data could be personally identifiable--tied to names, e-mail, physical and IP addresses and other details on the person's habits. At a time when the heat is on search engines like Google and Microsoft to regularly purge personally identifiable and search history data on users, sites like Rapleaf are amassing detailed profiles from publicly available data.

"There's no question we've entered an era where people are simultaneously living their lives online. But there's a naive quality here that these sites have set up. The sites appear to be cool, but what lurks underneath is a powerful force designed to stealthily observe and collect data about you, and develop a marketing campaign to get you to behave the way they want," said Jeff Chester, director of the Center for Digital Democracy, a Washington-based consumer advocacy group.

For this reason, the Center for Digital Democracy will ask the Federal Trade Commission at a November hearing to formally open an investigation into privacy issues at social-networking sites. "Clearly, a (privacy) standard is necessary," Chester said.

Rapleaf's data business
Rapleaf was founded in 2006 by two University of California at Berkeley graduates, Manish Shah and Hoffman, a longtime Silicon Valley entrepreneur. With the tagline "it is more profitable to be ethical," Rapleaf launched in May 2006 as a system that helps keep track of your reputation as you buy and sell things online.

It drew attention as a viable open reputation system that could rival eBay's closed one for making decisions like hiring a babysitter, buying goods on Craigslist or working with a job candidate. Shortly after it launched, the company raised nearly $1 million in an angel round of funding led by Thiel, former Google employee Aydin Senkut, Web 2.0 financier Jeff Clavier and well-known angel investor Ron Conway.

Rapleaf broadened its focus over time to be more efficient, Clavier said, and launched its people search engine this summer. "Reputation is used in e-commerce, but the concept of people search is actually broader. It's an aggregate profile, using your e-mail as a proxy," Clavier said. "It allows you to build it without the need for people to contribute. Here you bypass the issue: I'm just going to go on the Internet, and find information on hundreds of millions of people and aggregate that."

So how does Rapleaf make money off this? Neither Rapleaf CEO Hoffman nor Clavier would say in early discussions, but when later discussing TrustFuse, Hoffman said that the company isn't making money yet. He said that TrustFuse has only been experimenting with clients for the last couple of months and doesn't charge much for its services. "First you work out the technology, before you work on monetizing that technology," he said about Rapleaf.

Sites like Rapleaf are also trying to be social networks, urging people to become members and claim their identities across multiple networks so they can manage their reputation and privacy. In fact, Hoffman says Rapleaf is designed to help people protect their privacy.

"We're helping you manage your privacy. You might not even know there's all these things about you out there. We're learning all this stuff about you. And now you can manage all this information," Hoffman said.

He said Rapleaf has about 50 million profiles, which include people's associations with Facebook, MySpace, LinkedIn, Bebo, Classmates.com and Amazon.com's Wish Lists, among other networks. Hoffman said the company soon plans to add blog searches to its database, among other coming features.

To illustrate the power of Rapleaf, CNET News.com did a search on Hoffman. From his profile page, you'll find out he's a 33-year-old single white male originally from New York. He graduated from UC Berkeley in 1996 with a degree in industrial engineering and operations research. He has profiles on 17 different social networks, pens a blog, and is linked to 11 e-mail addresses. (Eight are kept private on Rapleaf, but that domain has been in use since March 2005.)

From these links, you can find out that he's founded and sold three companies, including enterprise software firm Bridgepath and lead-generation company GetRelevant, which Lycos bought in 2002. He's also an investor in ad firm Brightroll and is an adviser to Pacific Research Institute, a nonprofit political group. From MySpace, you'll find he's an Aries who likes "anyone who stands up to the Man." And his Amazon Wish List shows that he wants a self-inflating travel pillow and the book More Sex Is Safer Sex: The Unconventional Wisdom of Economics.

One big question about Rapleaf is how it obtains access to people's social-networking profiles, considering that sites like Facebook, MySpace and LinkedIn don't publish their members' e-mail addresses as a matter of policy. When asked, representatives from these social networks said that they do not have partnerships with Rapleaf, nor other search engines, to provide access to e-mail addresses.

"People are exposed because they're out there on the Internet, but they're not exposed because of anything we did."
--Kay Luo, director of communications, LinkedIn

Kay Luo, director of communications at LinkedIn, said it plainly: "People are exposed because they're out there on the Internet, but they're not exposed because of anything we did."

Rapleaf's Hoffman said that the company finds profiles through the e-mail search at certain sites, including MySpace, LinkedIn, Facebook and Amazon. MySpace, for example, lets visitors find a profile by e-mail address or first and last name. But for other sites, Rapleaf employs a "secret sauce," according to Hoffman. It's not always easy either. Hoffman said the company hasn't figured out how to crack into accessing members on Digg, for example, even though it would like to.

According to Upscoop's privacy policy, the company "is able to obtain and may display information on a person or e-mail from other sources that are at our discretion. This information obtained from other sources is publicly available. Information may also be extracted from private social-networking sites and online communities based on special access." Hoffman said the company has no special access, however.

Security experts say one technique used to find people on social networks could be joining the social network and then ferreting e-mail addresses by deducing naming conventions at big companies. Employees at Google, for example, have addresses with the person's first name and last initial, with @google.com. By understanding naming conventions, an automated crawler could scour a social network for profiles by trying out various combinations of names.

Ali Partovi, CEO of the social music service iLike, said he considered hiring Rapleaf/TrustFuse to figure out how many of its Web users were also on Facebook and other social networks, so iLike could cross-market to those who weren't. But he ultimately decided against using the service because it meant divulging the e-mail addresses of his own users.

"One of the reasons we decided not to work with them is because it would violate our privacy policy. Our privacy policy wouldn't allow us to give a third party access to our e-mail database," he said.

Clavier said Rapleaf is only working off what's already available. "What's interesting is that when you read about what Wink, Rapleaf and others have been doing, it's suddenly like, 'Oh my God, this is a lack of privacy.' But it's only aggregating what's out there. It used to take several Google searches to find the information--now it's a one-stop shop."