No such thing as a "free lunch"

Raymond has had a few blogs about privacy policies lately. It has motivated me to write a little bit about a bad experience I am currently having through no fault of my own, although unlike Raymond I don't feel comfortable naming the particular company. After reading how negative this entry is, you'll understand why! Just consider this a general warning for how bad some of the web sites are out there, and always think twice (actually, even thinking once would be good enough) before typing your name and address into a web form.

The setup:

A few weeks ago, I received an email from a friend saying "Go to this web site and we'll both get free stuff."

"Yeah right," I say to myself, "TNSTAAFL."

So I cruise on over to the site anyway, just to see what kind of a scam they're trying to pull, and I go to the place that is supposed to tell me how my friend and I can get "fee stuff." Simple, the site says. It's a basic 3-step process:

  1. Sign up
  2. Tell friends
  3. Get free "stuff"

It also claims "No hidden costs!" which is in direct violation of the TNSTAAFL theorem. Hmmm, let's dig a little deeper, shall we...

The skinny:

First of all, unlike your average web site, "signing up" involves giving them your full name, postal address, and date of birth. (Remember they already know my e-mail address because my oh-so-helpful friend gave it to them). And of course you can't lie about your postal address, firstly because that would be dishonest and be grounds for them terminating your account, but perhaps more importantly (at least from their perspective) that's where they'll ship the free stuff too, so it makes no sense to lie.

OK, let's assume I'm crazy enough to give them this information (obviously I'm not, for reasons we'll get to in a moment). Step two, "tell friends," is a gross mischaracterisation of what has to happen next. What step two really involves (per their helpful FAQ) is you convincing five other friends to sign up. You don't just have to enter five email addresses into the system - oh no - you actually have to get five warm bodies to go to the site and "sign up" themselves (see comments on step one, above). And of course, to be on the safe side, you're going to put in more than five addresses, just in case some of your friends (like me!) are too smart to sign up, aren't you?

Hello! Can you spell "Pyramid Scheme"?

Now let's assume for the moment that you only convince four people to sign up. Oh, sorry about that. No free stuff for you! But they do have your PII (personally identifiable information -- name and address) and that of four of your friends. And let's say that each of those friends got three people to sign up. That now makes 1 + 4 + 3 + 3 + 3 + 3 = 17 fresh names and addresses, for zero outlay on behalf of the web site. What a great business model! Maybe you should enter in some more names to increase your chances of getting people to sign up?

OK, so let's be optimistic and assume you got five "friends" (they won't be your friends much longer!!) to sign up. Let's move to step three, "get free stuff."

But wait!

You're missing the crucial (and conveniently "forgotten"-to-be-mentioned) step 2.5 - "Buy something from our advertising partners." Yes, that's right! Not only do yo have to scam five of your friends, but you have to purchase something from this web site's "advertising partners" in order to qualify for the "free stuff." Free isn't looking so good any more, now is it?

OK, OK, we'll pretend that you actually like one of these offers and are willing to shell out the cash on it to get your "free stuff" -- what next? Well, sure, they'll ship you you're free stuff. BUT, it's only a voucher for the free stuff, it will take 6 to 8 weeks to get there, and it's only valid for one month. (One can only hope that the one-month time bomb starts ticking after that two-month delivery delay, but looking at the rest of the site I wouldn't put it past them...). Obviously I never got this far into the process, so who knows what other loopholes and dastardly schemes await you when you try to take advantage of one of their "special offers" -- I can only imagine the horror.

So far, so... good? Maybe, I guess, if you really wanted that free stuff, didn't care about giving away your PII and that of your friends, and were going to purchase something from the advertising partners anyway. By the way, did I mention that the "free stuff" has a retail value of less than ten dollars? That's right, it's not even very good free stuff! (And you know that if the retail value is less than ten dollars, then the cost of buying vouchers at a wholesale discount is likely to be considerably less than ten dollars).

But the plot thickens. Not only does the site deceive you about the process of getting "free stuff," but they have the worst privacy policy I've ever seen (as Raymond says, all you have to do is disclose it; doesn't matter how bad it is!). Essentially the policy says (paraphrased):

We will rent or sell your PII (name, postal address, e-mail address, survey results, etc.) to any third party.

At least they don't mince their words! Gotta give them credit for being honest, I guess. They also have the usual stuff about tracking your progress around the site to provide targeted ads, but I am actually in favour of this -- if you're going to bombard me with ads anyway, at least make them ones I might be interested in.

Then they have a bit about how they are opposed to spam, how it is strictly against their policy, yada yada yada, and yet by their very own admission (above) they are willing and able to give your PII (at a profit!) to other people who have no use for it other than to, uh, send you unsolicited junk mail (that would be spam, duh!). Plus I've received at least three or four "reminders" from this site to sign up, even though I don't want to, and I count that as spam. I can't just block the mail as junk, because they are sneaky enough to send it from my friend's address (gotta love the built-in spoofability of SMTP -- imagine the flack we'd get if Microsoft ever invented such a horrible protocol!). I guess technically they could claim it's not spam since my friend "volunteered" the information (and thereby acted as a proxy for me), but it's still pretty shady.

In the end, it is user stupidity that lets this site succeed (yes, I'm calling my friend stupid in this regard. She knows :-) ). My friend simply got the invitation e-mail from one of her friends, clicked on the link, thought it was cool, filled in her name and address, and added the e-mail addresses of ten (not five, but ten!) of her friends to the site. Now she wishes she hadn't.

What this site gets is a list of people's names and addresses. It's a very valuable list, because not only does it contain your postal address (most spam lists on the internet -- e.g. those from newsgroup trawlers -- are limited to your e-mail address), but it is also highly targeted. Only those people interested in this particular type of free "stuff" would have signed up, so the list is pretty "clean" when it comes time to sell it to vendors of "stuff" who wish to spam you. It gets the list without breaking the law, because all users volunteer the information (including "leads" of new people to spam). It will rarely have to "pay out" to users, because nearly all of them won't meet the requirements. (Specifically, there will always be the "leaf nodes" at the edge of the pyramid who haven't signed up enough people yet, so at best (or worst) they only have to pay out 1 in 5 people, but it's likely to be a lot less frequent than that). To be fair (ha!), you can get "free stuff" without joining the pyramid scheme if you accept more offers from their "advertising partners", but that's not what they're advertising and it hardly qualifies as "free" in my book.

Even when the site does pay out, the value of the "stuff" is quite small. And the chances are that, just like mail-in rebates and other kinds of vouchers, most people never actually use them because either (i) they aren't in a situation to use the vouchers in the month before they expire, or (ii) they always forget the vouchers at times when they would be able to use them. I would bet that unclaimed vouchers cost the site nothing (except the original price of postage). Furthermore, the site probably gets advertising revenue and kickbacks from its partners, and gets to keep and market your PII in perpetuity.

One funny thing: The site's privacy policy says that you can opt-out of their database at any time by cancelling your account. Sounds like a good deal, yes? Not so fast, hotshot. Since the site can sell, rent, or market your information to any third party, they could conceivably "sell" it to themselves (under the guise of a separate entity, of course) as soon as you hit the "Submit" button on their registration form, so even if you immediately cancel your account (having realised it for the scam that it is) you are SOL (def: out of luck). The other site "bought" your PII and has no obligation to ever delete it!

My plea to you is: Don't do it! Always read the privacy policy of sites before you enter anything into them. Even then, you can only really trust the privacy policy if the site itself is reputable. One way to check if a site is "reputable" -- albeit not a foolproof one -- would be to see if they have an SLL certificate issued from someone like VeriSign (just go to their web site using an https prefix rather than http, and double-click on the lock that appears in your browser to view the certificate information). At least then they had to fork out some cash and give up their own PII in order to get the cert, so you can be fairly certain they're not complete fly-by-nighters.


Let's count the ways this site is bad:

  1. Sends e-mails from your friend's address, not from their web site address, so you can't block the spam
  2. Misleading invitation email (going to the site - and even signing up - isn't sufficient for either my friend or myself to get the free stuff)
  3. Blatant lie in the "No hidden costs" advertisement (unless of course you consider having to buy stuff from "advertising partners" and having your PII sold to all and sundry as a "benefit")
  4. Gross mischaracterisation of the process to getting "free stuff"
  5. Pyramid scheme. Need I say more? :-)
  6. Incites users to add their friends to the "please spam me" list (OK, this is more the fault of clueless users than the web site itself, but it plays on people's gullibility, which is bad).
  7. Requires a purchase from an "advising partner" to quality for the free stuff. The site almost certainly gets a kick-back from this purchase
  8. More than likely also gathers ordinary advertising revenue from those same "partners"
  9. Ships ridiculously short time-limited vouchers of minimal value after an overly-long delivery delay
  10. Mathematically guaranteed that over 80% of their "users" will never actually qualify to receive the "free stuff" as advertised, even after giving away their PII (and the PII of their friends)
  11. Maintains the right to sell / rent / market all the PII to whoever they want, whenever they want. Theoretically you can never be removed from their database, even if you cancel your account
  12. They can simply decide to stop offering deals from their "advertising partners" at any point in time (thereby making it impossible for users to qualify for further "free stuff"), and live off the profits of their highly targeted e-mail and snail-mail marketing database
  13. Claims to have a policy against spam, when they send spam themselves and enabling other spammers is clearly part of their business model!

Bonus section:

If you read the privacy policy down to the end, it says (paraphrased):

We use awesome security measures to protect the loss, misuse and alteration of your PII.

Surely the missing "against" is a mere typo... or is it? (Cue spooky music, with thanks to Eric!)

It's not just me:

A quick Googling of this company reveals that it is mentioned on a well-known "urban legends" web site and their e-mail practices have come under question from other people before.


We already have enough criminals, spammers, credit card phishers, 419-scammers, fraudsters, and other all-round "bad people" ruining the internet for everyone else -- don't voluntarily get yourself (and your friends) involved in web sites like this. Please, please, just take a second to think before you sign up for "free stuff" on the 'net.

...and I'm spent.