November 20

Sneak Preview: Is Plaxo Secure, or a Security Risk?

I found that Plaxo had a connector between Thunderbird and their online service, reviewed their privacy policy and terms of service (quickly), signed up and gave it a shot. Generally, most people don’t argue with the request, and it sure is easy to update my contacts.

That immediately, then, sets off some bells for me, and I wonder if I have done something intelligent, or something foolish.

I’m going to take a few days and dig deeper – and maybe even score an interview for the podcast to try to provide some insight for anyone interested.


You may also like

Are you using frameworks properly?

Leadership and communication are actually layers, not levels

  1. Welcome to Plaxo! I’d be interested in reading about your experience with Plaxo – positives and negatives. If there is anything I can do to assist, please let me know.

    Stacy Martin
    Plaxo Privacy Officer
    privacy @t

  2. I’ll be honest. I don’t know that I’m EVER going to trust this kind of service, in any form, mostly for one simple reason: I want to always own my data. I want complete, utter, unquestioning control of all of it. That means, of course, that it all has to live on machines I control completely, utilizing applications that I understand at least reasonably well, and that I trust.

    At this point, I’m looking very seriously for good services like this, especially with some good synchronization between disparate operating system, but I’d be willing to say that I’ll take an application that does, say, 50% of what I want from it, as long as it runs on my server.

  3. Myoder – Those are reasonable comments. As a 3rd party service, Plaxo is certainly not for everyone. I’ve spoken with others who have expressed similar sentiments of wanting to control and own their own data, and the idea of storing their information within any 3rd party is not acceptable to them. Similarly, these same people also refuse to maintain the exact same type of data in the online address books in services such as Yahoo!, AOL, Hotmail, etc… for the same principle.

    But for those who are willing to balance the benefits of a service such as Plaxo with their privacy concerns, we do try to address concerns over ownership within our Privacy practices.

    One of the unique things we specifically state within our Privacy Policy is that as a Plaxo member, “Your Information is your own and you decide who will have access to it”. We do not own the information members maintain within Plaxo. Members own their own information, including the information they maintain within their address book.

    But when it comes to maintaining information within a 3rd party service, people are rightfully concerned about what might happen to their information once it enters the service, or what might happen to it should the service experience some type of Policy or Ownership change.

    In the case of Plaxo, we state:
    – your Information is your own and you decide who will have access to it; you maintain ownership rights to Your Information, even if there is a business transition or policy change;
    – you may add, delete, or modify Your Information at any time;
    – Plaxo will not update or modify Your Information without your permission;
    – Plaxo will not sell, exchange, or otherwise share Your Information with third parties, unless required by law or in accordance with your instructions.
    – and Plaxo will not/does not send spam, maintain spam mailing lists, or support the activities of spammers.

    Plaxo is also one of the few companies to publicly state how a member’s information is treated in cases of a business transition. You can read more in our Privacy Policy, but basically we state “Following a Business Transition, Plaxo or its successors will continue to use Your Information in accordance with the Privacy Policy under which the information was collected. ”

    The intention of our Privacy practices is to ensure members maintain control and ownership of their information at all times. Obviously, I am biased, but I think you would be hard pressed to find many other services or companies as transparent or with stronger consumer protective privacy practices than Plaxo. Skeptics will tell you that Privacy policies can be changed, which is true. But these changes only apply to newly collected information. It would be a violation of US law (Section 5, FTC Act) to apply changes to privacy practices retroactively (ie: information already collected). More importantly though, I feel it would violate the trust we have established with both members and non-members, and ultimately destroy our business.

    But if you feel Plaxo is a service worthy of trust, we do provide the ability for people to synchronize address book, and PIM information across disparate systems and services. We support multi-system synchronization and automatic updating across various applications and services including Outlook, Outlook Express, AIM, Yahoo!, Thunderbird, and others…

  4. Dear PlaxoPrivacy,

    I noticed that in your description of the privacy Plaxo provides to their customers, you did NOT say that Plaxo will not read the data of their customers.

    It would be nice to see a policy shuch as “Plaxo will not read the data of its customers unless 1) explicit permission is granted from the customer or 2) a law enforcement agency with appropriate juristiction demands to see the data.”

    Do you already have some such policy?



  5. Howdy

    I bumped into this site by complete accident – glad I found it and will be an avid reader. Apologies for the long post below…

    In reference to a post by DeaconJohnFairfax, it’s mentioned that we “did NOT say Plaxo will not read the data of their customers”. Well, I hope to give a clear answer on what we are allowed to do with your data based on our privacy policy – that should address the additions you were recommending to be added to our policy.

    At Plaxo, we believe that your information belongs to you – and you decide who will have access to it. Of course, the condition here is that Plaxo will have reasonable access to your data in order to maintain continuity of the service. Now what does that mean?

    Well, most Plaxo employees do NOT have access to customer records – this is a cardinal rule that I’m sure most companies adopt in any business. If not, then that’s a bit worrisome. It’s important why non-essential personnel have zero access to records – let me continue why that is….

    Our service “reads” your data so that we know how to sync others to you (our primary purpose is to connect people). So it’s necessary that we know who is in your addressbook to make those connections. Of course, there are other reasons why the service “reads” data from your account to allow features to run – however, it’s limited to only what we specify on the privacy policy. Also, if we ever significantly change those features, we just can’t use your data in the new features unless you agree to a new privacy policy. Why? Because we can only use your data based on the policy in which we collected it.

    However, in the context of your post, I believe you may be more concerned “strangers personally reading your data” – as I would be myself. Given the mantra that “your information belongs to you”, we still have an obligation to our members to ensure that our service performs as expected. To maintain that quality of service, we have a very small and limited number of employees that can view the data in your account – these are database administrators (or “server engineers” in our naming convention). The only reason why they would ever need access to data is to make sure that the service is behaving as expected. These engineers have very deep visibility on system logs specific to sync errors, data corruption, etc.

    If these key engineers can never view data, transparent fixes would never be implemented quickly and problems would go on unexplained longer than necessary. We could individually solicit for explicit permissions, but you can surely imagine the time and effort involved to accomplish that. We have over 18 million members (and growing), each having addressbooks of 100+ on average, approximately half of which are non-US, running on a service with an uptime of 99.999% (24 hours x 7 days). So, to make it simple – by accepting the terms of services and agreeing to the privacy policy, members are essentially giving us that “explicit permission”.

    Will we share that data with anyone else? Never – unless you gave us permission to do so or if a court order requires it (again, this is all in our privacy policy).

    Although I am a Plaxo employee (and have a biased take on this), I too am a Plaxo member – my data sits on those same servers. And like many people, I put notes and calendar events in trust that those Plaxo employees are not reading my confidential notes – something that would really make me unhappy. And because every employee here is in the same boat as I am, privacy and security is everyone’s job.

    @DeaconJohnFairfax, I hope that addresses your questions – and I certainly welcome your (and anyone’s) feedback. Also if anyone have deeper questions about how we handle your data, or have questions about our policies, please feel free to contact me directly (privsec ~at~

    Redgee Capili

Comments are closed.
{"email":"Email address invalid","url":"Website address invalid","required":"Required field missing"}

Subscribe to our newsletter now!