Hi,

I was wondering if anyone has views on this email/social networking service from an email security standpoint. Thanks!

This is an interesting approach to leveraging multiple social networks through the simplicity of your Outlook email system. In general, I like this approach better than allowing each individual social networking site to run through your address book looking for contacts that it knows about.

As long as the application itself does only what it says it will do, it seems pretty safe. No matter what address book mining software you use, the question you might want to ask yourself is, "Do your email contacts approve of you submitting their email addresses to a third party for analysis?"

Xobni's privacy policies look reasonable, but they do not accept liability for any type of breaches relating to the information you provide to them through the application.

If a partner of yours had their email address abused - maybe sent to a SPAM engine - could it be linked back to your use of the tool/service? If so, what damage could that cause you or your business?

I wonder how soon it will be before we see disclaimers in email signatures that say:

"For communications efficiency purposes, your email address may be provided to third parties by my email system immediately upon receipt. I do not see any significant risks in doing this, nor do I accept responsibility for its protection. If you do not wish for me to do this, it's too late... sorry about that. Will you please forgive me?"

On the other hand, would Xobni, or other providers consider giving us the option or control over when scanning is done, and allow us to exempt senders who express the desire to opt out?

On the surface, this seems unlikely. But these are issues I would consider, and ask my stakeholders, before using the tool.

- Scott

Hi Scott,

Thanks for the reply. Leaving the vendor committments aside for a moment, do you think this application puts email content at risk?

thanks, Rob

Without having had a chance to review the product documentation or do any research or testing, I would expect that the program would be no more of a potential risk than any other Outlook plugin from an independent vendor. You have to be able to trust that their code does what it says it will do, and nothing more.

From a Data Leakage risk point of view, there can be an increased risk for any program you install whose design you can't validate and verify.

What can you do to have a better feeling of assurance that a candidate product's functionality won't increase the risk unacceptably? That depends on your business environment, network architecture and culture. These are things I'm better at helping with in "meatspace" (as opposed to "cyberspace"), if you'd like to contact me.

As I said earlier, I'd generally be more worried about the repurcussions on my contacts, and how they would feel about the way their email addresses are being used with this type of product. I'm all for leveraging social media tools, but there can be a tendancy to ignore obvious risks, mostly because everyone else is.

BTW - I just got an email from a distant associate that looked a lot like a Twitter "new follower" notice. But I believe it was generated by a "viral inviter" program. It seems similar to what Xobni might do. It's a bit deceptive, as the message was not sent to the email I use for Twitter, it was sent to the email my distant associate had for me. The message's wording was not "... is now following you on Twitter." It was worded as "...wants to keep up with you on Twitter." Looks like either a phishing scam, or a viral inviter that tries to convince you the message came from Twitter. I would hesitate to use a product that is this deceptive, even if it was not a malicious tool. It just looks too sneaky, and I think my clients would start to feel uneasy about it.

That doesn't mean these kinds of products can't be used wisely, but I would want to take time to identify the risks ahead of time, to be sure any kinds of risks can either be prevented, or have damage limited if they do occur.