Blog Post

Rapleaf and the Facebook Privacy Ruckus

Stay on Top of Enterprise Technology Trends

Get updates impacting your industry from our GigaOm Research Community
Join the Community!

Updated: In the analog world of J.Crew catalogs and credit card purchases, credit bureaus like Experian built profiles on most of us. In the digital world, a new kind of digital data aggregator is spreading its tentacles on the web.

The latest privacy-related dust-up at Facebook, sparked by a WSJ story, might be making Facebook the target of the consumer ire, but in my opinion, the real story centers around San Francisco-based Internet information aggregation company called Rapleaf. In their story, Emily Steel and Geoffrey Fowler of WSJ write:

In this case, however, the Journal found that one data-gathering firm, RapLeaf Inc., had linked Facebook user ID information obtained from apps to its own database of Internet users, which it sells. RapLeaf also transmitted the Facebook IDs it obtained to a dozen other firms, the Journal found. RapLeaf said that transmission was unintentional. “We didn’t do it on purpose,” said Joel Jewitt, vice president of business development for RapLeaf. Facebook said it previously has “taken steps … to significantly limit Rapleaf’s ability to use any Facebook-related data.” The most expansive use of Facebook user information uncovered by the Journal involved RapLeaf. The San Francisco company compiles and sells profiles of individuals based in part on their online activities.

The funny part is that Rapleaf, doesn’t need any of the user ID stuff. All it needs is an email and it can build a profile of you that is scary, to say the least.

If you want to understand what Rapleaf does, I suggest you visit the website of a San Francisco-based startup, Flowtown, which specializes in helping companies craft social media marketing messages. Enter anyone’s email address, and you will see information pop up about him or her, including links to their social networks and even some of their most recent postings. Flowtown gets most of its information from Rapleaf (along with a handful of other sources), which in turn gets its information from Facebook apps and other sources.

Rapleaf’s influence on the web is only increasing. Take for instance startups such as Rapportive, which makes an extension that plugs into your Google mail account and gives you access to profile data of the person you are exchanging emails with. The data for the service is coming from Rapleaf. Rapportive competitor eTacts also pulls data from Rapleaf. And so does Gist. It is not clear if these startups share any data back with Rapleaf, but I would think there has to be some quid pro quo.

“In contrast to other startups in our space who have entered into data-sharing agreements with Rapleaf in exchange for free data, we explicitly ensured that we would not have to share any data back to Rapleaf (for the good of our users),” Howard Liu, co-founder of eTacts emailed us in response to a query. Rapleaf Rapportive CEO Rahul Vohra also confirmed in our comment section that his service doesn’t pass any data back to Rapleaf.  And so did Gist CEO. (We will be talking to Rapleaf executive tomorrow morning and are going to get an update from some of the other startups as well.)

Think of it this way: If data is the currency of the web, then Rapleaf is controlling a lot of it.Rapleaf knows a lot more about you, your social connections and what you do — more than you realize.

Related content from GigaOM Pro (sub req’d):

40 Responses to “Rapleaf and the Facebook Privacy Ruckus”

  1. I was just contacted by RapLeaf and they told me that they are no longer providing Social Profile Links (end of this month). 2 questions: What will happen to companies like FlowTown? Where can we get this data from now?

  2. Hi Om,

    I wrote a blog post several months ago about how to find a person’s email address, verify it and then use other services to enrich it. I never published it due to not being totally comfortable with what I have written. The process involves (where the email address is not known):

    1. Guessing the email address (there are number of ways)
    2. Verifying this using the largest professional network (and if needed the largest social network)
    3. Once verified, add to web applications that could enrich the email addresss by finding out social profile and then automatically capture every updates of her/his web activities.

    In addition, there are many startups offering digital cards where individuals willingly add their profile data.

    Given above, it is unclear who is the bad guy in this case, as we have all provided the information willingly in the first place to various web applications. Selling our data to third parties was pioneered by people such as Experian, and it happens every day whether we like or not.

    Perhaps, there ought to be set of best practices that reputable applications will adhere to. You can take it to another stage by allowing third party audits, etc.

    Not a simple issue…I am glad you raise it though..

    Best regards

  3. [posted this yesterday – not sure if it’s stuck in moderation]


    Thanks for writing the blog post, you’ve surfaced some solid points.

    1. Flowtown does not pass back data to Rapleaf or any other data partner.
    2. We’ve always been hyper sensitive to make sure we’re stewards of good data and make it easy to opt-out.
    3. We’ll be publishing explicit details on what data we aggregate, how it’s used, and our policies around it.

    Best regards,

    Ethan Bloch (@ebloch)

    • @Ethan A few questions:

      1. Are you saying you don’t pass email addresses to Rapleaf to get additional data about those accounts? Sounds hard to believe.

      2. Where is the URL for me to opt-out of having my email/user data used by Flowtown?

  4. The data held by Experian and Acorn and folks like that is pretty phenomenal–these are models that have been built up over many many years.

    But the big distinction with the old style folk and new providers (like Rapleaf) is the presence of the opt-out. The opt-ing out is much easier and baked into Rapleaf’s website/business (at least it was last time I checked).

    Rapleaf does seem to sail close to the wind, but I don’t think it is much closer necessarily than many established firms like Experian or Acxiom or CACI — it’s just that it sits on the pulse of the Valley echochamber, so seems to attract undue attention.

    You can take email addresses to many vendors and be given details on likely income, address, household size and a host of other variables.

    This data cat has been out of the data bag for a darn long time.

  5. Om,
    Rapleaf actually sells profile information to companies like Rapportive at the rate of 5 cents or so a pop – this is their core business model. So there is no quid pro quo required in terms of Rapportive et al to share back any data to Rapleaf.
    The bigger worry – beyond the fact that Rapleaf can construct a social profile on the basis of an email ID – is that each of their customers are also presumably caching this data on their own servers (why pay more than once for the same profile result) and this opens up multiple leakage points for this data to be potentially used in a malafide manner…who is going to police this even if Rapleaf ostensibly respects some privacy/opt-out controls?

    • Sumanth

      Thanks for the comment and offering details. I am not clear on Rapportive and if they send information back to Rapleaf or not. We are waiting to hear back from them.

      On the second part of your comment, I indeed agree with you. It isclear that even if you opt out of the service, there is little you can do about all the data that is already out there.

      • Go ahead. Opt out. But then this terrible Rapportive add-on which is likely being used by at least one of your friends will just re-submit your data back to Rapleaf and your account will be reactivated. Seriously. That’s how much this entire situations sucks. Rapportive doesn’t need to pass additional data – your realname and email address are plenty!

      • Daniel, as above I’d like to correct some misconceptions: a. we are not passing back real names or any “additional data”, and b. that’s not how opt-out works. As Marc and Azeem have pointed out, the opt-out in fact opts you out. Permanently, both for Rapleaf and its entire ecosystem. Your account cannot be “reactivated” by somebody looking up your email address.

      • Rahul,
        How does this work in practice? Since you are also caching this data on your servers, do you delete say Om’s profile information from your servers as well once he opts out of Rapleaf from their website? Do you get a trigger from Rapleaf asking you to delete this information?
        Does it work the same way for every customer who is using Rapleaf? What is the guarantee that every customer would also do likewise?
        I severely doubt that this is the case…

  6. miten sampat

    thanks for writing the article and following up with the various parties involved. it is a bit scary that tools like Rapportive might be sharing information back with RapLeaf.

    i think the nature of information sharing between services is exceptable if the user is presented with some knowledge of how that information is being shared.

    learning about it after being a user of these services is where users feel betrayed.

    look forward to your updates tomorrow.

      • Rahul, The bottomline is that your product is providing many of your users email contacts and realnames to Rapleaf. That just sucks! If these users don’t have a dossier at Rapleaf then you just started one for them! I am confident if your homepage explained that clearly (and accurately described what Rapleaf does as its core business) then you would see a significant drop in the useage of your product. Very lame. I think you are being very dishonest.

      • Daniel, I’d like to correct two important misconceptions about our product and Rapleaf:

        1. We are not sending any real names to Rapleaf. As far as we know, neither are Gist, eTacts or any of Rapleaf’s other customers.

        2. We have vetted Rapleaf’s privacy policy and business model very carefully. You seem to believe that they sell the actual email addresses, which is incorrect: they sell information about email addresses. In particular, they sell publicly accessible information. And most importantly, they sell publicly accessible information about email addresses only to organizations which *already have* those email addresses.

        Please take some time to think that through. Rapleaf does not provide information about an email address to an organization which did not *already know* the address. (And if they did, we would leave them.) That is key.

      • Rahul,
        Your reply to Daniel mentions that you are not sending back real names to Rapleaf but doesn’t address his point that you are sending email addresses back – I guess you don’t consider this as “data”.
        The problem with your argument is that Rapleaf can use “customers” such as yourself to actually harvest email addresses against which they can run their scrapping engines to attempt to construct social profiles for the said address. Thus, whether intentionally or not, you are helping Rapleaf seed their database and to the specific point at hand, you are being disingenuous by claiming that you are not sending back any data to Rapleaf.

      • Rahul, Say what you want but based on your words above at the very least it’s safe to assume that your service is assisting RapLeaf in several ways.

        (1) data collection: by sending RapLeaf my friends email address you are indirectly informing them that an account exists whether or not it is currently in their database!

        (2) verification: the way your app collects and sends email addresses to RapLeaf verifies by default that an email account is currently active!

        There is simply no way to deny those two points. Without digging into your code and/or sniffing packets I will take you at your word that you aren’t sending additional data besides my friends email addresses but that really is besides the point. I’m offended you’ve given my friends data over to a 3rd party! I’m sure my friends would be furious with me if they knew I was doing this to them via your service. You make none of this clear on your website either.

        Like it or not your service is creating a marketplace for user data that most internet users do not want to be harvested and re-sold by 3rd parties. Maybe you should aim to say not just that your “users’ privacy is sacrosanct” but that your “users’ data about their friends is sacrosanct too.” There are other ways to do what your doing without involving a sketchy middleman.