Wednesday, February 11, 2009

Open letter to IBM - your communities sites are causing spam

Dear IBM Community Managers & Social Media Czars,

I've noticed that you have finally realised it's 2009 and not 1989. As such, you seem to have taken little baby steps moving beyond traditional methods for marketing and community building. Apart from a sporadic sprinkling of twitter accounts (mine is here if you want to follow me to deal with my complaints there instead of waiting for open letters), you now seem to have what looks to be the beginnings of centralised communities sites (whoa what an "innovative" concept).

It looks to me like these sites are trying to aggregate useful things for each community (e.g. blogs, tags, forum discussions) and while not exactly "cutting edge" is a start considering how you have done nothing about evolving your old marketing and communication strategies since Lou Gerstner joined the company. He obviously couldn't do much about it because he was too busy trying to save IBM from going down the crap hole, so you could be forgiven for taking some time to catch up but seriously, it's frigging 2009 IBM.

I have a specific issue regarding your communities sites. Maybe I'm stupid so bear with me but I signed up to be a member of your IBM Security Community thinking I should take a look at whether my ex-employer has finally realised what year it is. The first thing it insisted on was that I used my IBM ID (which still thinks "Identity Federation" might have something to do with Star Trek). This is fine, except that the IBM ID now insists that users have to use their email address as their login. This is fine in principle, but it looks to be the root cause of the problem which I will expand on later. All things considered, this part of the process was fairly easy. So I started to take a look around and realised that it was pretty bare-bones. Again this is fine because I realise this whole "Internets tubes thingy with sites and people at the end of them tubes" is fairly new to you.

Just a matter of days later, I started to get messages sent to my personal email offering to shower me in riches on receipt of my bank details and interesting products offering to "enhance my manhood". I NEVER used to receive unsolicited messages to the email address in question due to the fact I take precautions not to give it out unnecessarily or to post it online (yes on the "Internets tubes thingy"). So I did some digging online (it's called searching, IBM - you may have heard of this small company called Google?) and found my email address! And where did I find it?! On your IBM Security Community site that's where! I should note that I could see this without being logged in. Yes, this means it's PUBLIC.

I immediately logged in and tried to find the offending page. Upon finding it, I immediately went about trying to change my settings to remove it from public view. About 15 minutes later, I finally realised I had to navigate to a listing of everyone's profiles to get to my own profile (nice to see you still haven't hired usability designers). I then clicked on my profile details and there it was, my email address staring at me.

While the incongruity of it all was unnerving, I pressed on. I thought: "OK, I've found it, now I'll just go change the settings". So, I clicked on "Edit My Profile" and spent about 10 minutes clicking on the same links over and over and over and over and over again in the hope that my email address would magically appear (that's what I used to do when I had to demo your software). I persevered thinking that it must have been my own fault or stupidity. And then I had a "eureka moment" as I glanced at the bottom of the screen. It read; "IBM Lotus Connections". And then it hit me: "Ohhhhhh it's Lotus software. I'm going to need to go screw around with some Lotus Notes database somewhere which I don't have access to". By the way, is this new-fangled Lotus software incarnation just crappy old Lotus Notes with web bits hidden behind WebSphere Portal Server (if you mention the word "cloud" anywhere in your answer I'm going to throw up)?

IBM, does this mean that you are simply pulling my email address from my IBM ID and not giving me a way of changing this? Why does this matter you ask? Well, perhaps if it was listed I could potentially delete the field in the absence of adequate privacy controls in your software. That's why! But the fact it's linked makes me think that I'd have to de-provision my IBM ID, or at the very least de-provision my IBM Security Community membership (is that some Lotus Notes group?). Oh I'm sorry I just realised that I'm talking to Lotus and you don't talk to Tivoli so all this talk of provisioning must be confusing the heck out of you. Don't despair, read on and you might start to get it.

Thinking that surely this could not be the case for everyone unfortunate enough to have signed up to the IBM Security Community, I looked around. Surely enough, I found a link that listed ALL the members of the community. And against each member guessed it: their email address. Don't tell me it's all fine because to get the email address you have to hover over the person's name before the menu comes up to click through to their details. A bit of JavaScript cobbled together with "security by obscurity" does not pass the test. At this point, I was thinking that this was pretty piss-poor (Aussie slang but I think you get the point) given this was supposed to be the frigging "SECURITY COMMUNITY".

Hoping that this was isolated to this community, I decided to take a look at the other non-security communities. I hoped that someone would have some sense to configure the other communities differently. To my despair, the other communities were exactly the same which made me think this was the default behaviour of the software. So IBM, this is what you've done; anyone who is a member of one of your new communities sites has now had their email address exposed to the world whether they like it or not. Even worse, there is no way to turn this off short of leaving the community. But it doesn't really matter now because you may not have figured this out yet IBM, but once something is on the web it's pretty much there forever. So I could leave your community, but the damage is already done so there's not much point.

I'm not actually sure your community moderators can do much about this issue so I choose not to blame them. It is disappointing that it looks like this is the default behaviour of your "Lotus Connections" software.

Having tried unsuccessfully to change my profile settings, targeted twittering to ask this question (without replies) and a lack of an obvious mechanism for feedback on the communities site, I've decided to write this open letter hoping that someone at IBM who can do something about it reads this. If this has reached somebody in Lotus-land, you are probably confused by all this talk of security and privacy. In the event you have not spoken to someone in Tivoli-land to help you decipher my ramblings, I'll summarise everything for you:
Why do all the IBM communities sites display all member email addresses by default? This would not be so bad if there was a way to update profile settings to hide email addresses. But either through a software limitation or my own stupidity, there does not seem to be a way to do it. Why does IBM see fit to display people's email addresses by default and not allow for a way to "opt-out"?

By the way IBM, if I were to "accidentally" click on one of these offers I'm getting in my email, can I use my old IBM expense account to claim the costs? If so, I could potentially overlook your blatant disregard for my privacy.

Yours sincerely,
Ian Yip
Disgruntled ex-IBMer

No comments: