More on Internet Quiz Sites and the Associated Dangers

What Are You Giving Up When You Use One Popular Facebook Quiz Engine?  Maybe More Than You Think...

A Review of Nametests.com

This is the third part in a series on what you also give up when you take an Internet Quiz.  Part 1 focused on General Dangers.  Part Two reviewed the terms of use for one popular Internet Quiz site. Today, we're going to look at nametests.com.  I think about 75% of the quiz results that come across my own Facebook timeline come from nametests.com.  I think few folks visit the sire directly.  Most click-through friends' shared results to take the same quiz.  While there, they often fall into a click-hole, taking other quizzes suggested at the end of the one they just took. How many readers have taken a test at nametests?  How many of you have actually looked at their terms of services?

A Visit to Nametests

Rather than clicking through from a shared quiz, I entered directly through their Home Page. There is little there but a link to change your language, very few ads, and a bunch of Quiz Listings.  Now, if you'll remember from Part 1, too few ads can be a Bad Thing, as it means they're making their money from Data Mining rather than selling ad space.  Other than that, there's little information.  There is no "about" page, no share buttons, or any prompts to follow.  The lack of an about page raises red flags, as does the general lack of information about the site at all.  

And I have to admit, I LOVE this disclaimer in the footer of their site:

"This app uses data and contents only if they are publicly available or with the consent of the users. We kindly ask you to use the app only, if other users will not be affected adversely.  Thank you and have fun with our app!" 

Anyone understand what they are trying to say here?  We kindly ask you to use the app only, if other users will not be affected adversely.   Are they warning me that by sharing my Friends' Facebook Info, I am potentially opening them up to adverse use of their data?  

Terms of Service (TOS)

Clicking on the "Terms and Conditions" link in the footer brings me to another domain all together, (https://www.socialsweethearts.de/terms_en.html) and to a page written in German.  This despite the fact I'm coming from an English Language version of the site.  Clicking on the "English" link brings me to a page that was obviously run through an auto-translator or was written by one of those rich, Nigerian Princes who is always e-mailing me.

Although Nametests.com links to this page, there is no mention of it whatsoever on the linked page, as a "find on page"will show.  So exactly how is Nametests affiliated with this other site, and will they adhere to terms in which they are never specifically mentioned?  I am not so trusting of random web sites that openly mine my data myself.

Are there things in the Socialsweethearts Terms of Services that concern me?  You betcha!  First of all, you're agreeing not to sue, and that any type of dispute shall be handled by binding arbitration under German Civil Code.  You also waive your right to participate in any current or future class action suits against them.  The very fact they anticipate class action suits sounds kind of shady to me. (Section 1 of the TOS.)  

Section 2 goes on to say you are bound to the terms of their contract, but they are not bound to yours.  Then, in bold print, they state:

 If the purpose of the Service it is providing users with information on specific topics or events (eg birthdays, coupons, product samples, etc.), users agree to receive this information via e-mail or equivalent electronic messages, information functions or wall posts within the platforms on which the Service is running. The type and amount of information follows from the description of the Service. The user may at any time opt out from receiving such messages as described in the section "termination" within these ToS.

We may also send you service-related emails (e.g., account verification, technical and security notices, inactivity notifications, account invitations to other users, changes/updates to features of the Service). 

So basically, you're giving them the right to spam both you and your friends, and to spam your Facebook Wall.  They kind of hide that "account invitations to other users" part in the middle of security-related notice boilerplate.  Also, they say "IF the purpose of the service."  If?  If they don't know the purpose of their own service, how can I?

Section 3 of the TOS talks about their "third-party" partners and contains this little tidbit:

 Accordingly, we are not liable to you for any loss or damage that might arise from their actions or omissions, including, for example, if another user or business misuses your content, identity or personal information, or if you have a negative experience with one of the businesses or advertisers or their products listed or featured on the site. 

So they're basically warning you your information may be misused by their associates.

Things look okay from there on, that is until we get to Section 8.  That's where they tell you they now own anything you provide them, including your personal information:

     You shall provide us free of charge and unlimited in terms of location,time and type of use with the non-exclusive right to copy, edit, modify, adapt, alter, edit, translate, make derivative works of, publicise,[sic] and process the legally protected content, information and data provided by you or in your name and to transfer these rights to third parties such as subcontractors or other users (e.g. in relation to embedding or modification of user generated content). 

And they have a right to pass all of this on to third-parties.  Remember, that includes all your friends information, as you gave it permission to mine that when you "connected with Facebook."  I guess that is what that disclaimer in the footer is all about.  If your friends are angry you gave up their data so you could see "Who would live in a Bewitched Castle With You," you're on your own. (Yes, that IS a real test I saw while checking out the site.)

And if your friend's data is misused, you're on your own.  The site isn't going to back you up:

    You agree to indemnify, defend, and hold us, its parents, subsidiaries, affiliates, any related companies, suppliers, licensors and partners, and the officers, directors, employees, agents and representatives of each of harmless, including costs, liabilities and legal fees, from any claim or demand made by any third party arising out of or relating to user's access to or use of our Service, your violation of the ToS, any products or services purchased or obtained by users in connection with our Service, or the infringement by users, or any third party using user's account, of any intellectual property or other right of any person or entity. 

We reserve the right, at your expense, to assume the exclusive defense and control of any matter for which you are required to indemnify us and you agree to cooperate with our defense of these claims. You agree not to settle any such matter without our prior written consent. We will use reasonable efforts to notify you of any such claim, action or proceeding upon becoming aware of it. 

And they can bill you for their legal fees too.

Section 11 is pretty much gibberish, but it's worrisome gibberish.  Take this paragraph, for example:

     We grant the Publisher a limited, revocable, non-exclusive, non-assignable, non-transferable, non-sublicensable license for Publishing of any Publishing Items made available for Publishing within Publisher's Site. Publisher warrants and undertakes that it will use the Publishing Items solely within its own Publisher's Sites and solely for the purposes explicitly permitted hereunder. All rights which are not expressly granted herein are reserved by us, including for the avoidance of doubt, all data collected by us in connection with the Publishing. 

Huh?  I'm not sure WHAT that says! I think they're trying to tell you that they can do whatever they want with the information they collect, now and in the future, and you are agreeing now to anything they might think of later.

The rest of section 11 talks about how they are ad supported, and they can do anything they want with anything in relation to advertising.  (So where are all the ads on the site then?  Red Flag!)

Sections 12 and 13 talk about billing, payments, and relationships with their paid/paying associates.  If this does not make it clear that they are profiting from your information, I'm not sure what will.   Sections 12-17 basically cover the terms for their clients, vs their users.  As a test taker, you are a user.  The fact so much of their TOS is about paid relationships with clients and vendors should concern you as a user.  

Section 21 discusses Facebook, and includes this proviso:     

All information and data communicated or collected by users as part of the Service are provided solely to the Service Provider and not to Facebook. 

That means that they are, in fact, using that Facebook Connection to mine data, and they are disclosing that, per Facebook's own TOS.

Privacy Policy

Again, I am brought to a German Language page.  And again, a "Find in Page" confirms NO mention of Nametests.com.  Most of this privacy policy is pretty typical for these types of sites.  They disclose use of cookies and tracking pixels that follow you around the web, and your use of the site denotes consent. They will protect your data, as required by law, but cannot assure third-parties they transfer it to will do the same.    However, I do NOT like what they have to say about registering through third-party providers.  (That means things like Facebook, Google, Twitter, etc.)  They say:

    In the context of a registration, we receive a user ID with the information under which the user with this user ID is logged in and an ID that cannot be further used by the Service Provider (so called “user handle”). Whether we receive further data depends only on the user who uses the authentication by a Third-party Provider, the data that is selected to be released in the context of the authentication, and which data has been authorized by the user in the privacy or other settings of the user account at the Third-party Provider. The data can differ, depending on the provider and the selections of the user; normally these are the e-mail address and the user name. In case of Facebook, this is also the - so called - Public Profile Information, that can be seen by everyone. This includes the name, profile and cover picture, gender, networks (i.e. school or working place), user name (Facebook URL) and user identification number (Facebook ID).  (Source: https://www.socialsweethearts.de/privacy_en.html)

They continue:

     The users are asked to keep in mind that their data, which we save, can be compared and synchronized with their user account at the Third-party Provider automatically. There is no obligation however for us to update the data. 

That tells you they're constantly mining your data, even if you never take another quiz on the site.  If you want to cut this data harvesting, you will need to disconnect the app through Facebook, essentially revoking all those permissions you gave when you connected the app.  Even if you disconnect, there is no getting that data back.  And there is no controlling what the third-parties do with it, including spamming your friends with sunglasses ads and like-farming scams that look as if they are coming from you.  In fact, the next section of their privacy policy describes how they will spam you:

    You agree with receiving notifications on following topics and with following content via electronic channels, like e-mail and/or push messages related to: test drives, cars, product samples, free coupons, sweepstakes, discount offers, credits or loans, finances, insurances, travel, applications, social media, editorial content and offers, quizzes, personality tests, smartphones, videos, mobile games & applications, newsletters, toolbars, browser add-ons, software, insurances, investments, dating, mobile communications, complimentary tickets, gifts, online games, travel deals, newspapers, magazines, special offers, sim cards, games, electricity, energy related offers, telecommunication services, surveys, market research, fashion, cosmetics, photo products, mail orders, imaging products. 

"Push Messages" include mobile ads, text message ads, Facebook Messenger Bot Chat Ads, browser notification spam, etc.  They later disclose they use "web beacons" to help enable this.

They bury other Facebook Connection warnings down in Section 12:

     If the Service is carried out as a Facebook application and/or if authentication through Facebook is used, the permission of users is required for us to access their stored data on Facebook. 

 Users are expressly referred in the context of the Facebook consent dialog to this data collection and the data shared by Facebook with us (e.g. public profile, friends list, e-mail address and "Like" information) through the Service. 

They later disclose they also mine your Facebook for aggregate data, for their own use, and to "better improve" your relationship with the site.

The next 5 sections all discuss how they plant code on both mobile and desktops to follow you around and collect data.  They have another five whole sections devoted to telling you about how they collect, use, and sell your information, even if you never return to the site.  They refer to at least six other privacy policies you'll need to read to understand what all is happening with your personal data.  This includes some of the players who are best known for NOT protecting your information, once they've gotten their grubby little hands on it.

Social Sweethearts

Again, although Nametests lists no visible affiliation with Social Sweethearts, all of their footer links go to socialsweethearts.de.  One HAS to assume Social Sweethearts are either the web developers or the actual owners of the site.  So what is Social Sweethearts?  (Apparently they have 19 apps in the android store, all of which look sketchy to me.) It's hard to tell.  Again, there is no "about" section.  There is only marketing hype splattered down the home page.

social sweethearts is the largest publisher of individualized, family-friendly content worldwide. With an organic reach of more than 3 billion pageviews a month, we put a smile on the faces of more than 100 million active users every month. Because we focus on family-friendly, feel-good content, such as quizzes and personality tests, our portals are among the 300 most visited websites in the world. This success is based on an excellent international team and outstanding, self-developed technological platforms and tools, which we use to pursue a KPI- and data driven publishing strategy.

The Social Sweethearts are a multi-cultural team of approximately 100 people located in Cologne and Munich. Additionally, a network of globally dedicated freelancers support us in our endeavors.

So it's some nebulous group of 100 unnamed employees and "globally dedicated" freelancers I'm trusting with all my personal information?  Don't a lot of those Indian Freelancers moonlight as IRS and Microsoft Scammers?  (If you think I'm being xenophobic or culturally insensitive, click on the three links within the previous sentence.  A google search will provide you with other documented cases.)  

Would I Connect My Own Facebook to Nametests?

I'm one of the LEAST privacy-conscious internet users around.  I've had the same e-mail address since the late 90s, and back then, all of these internet privacy protections were not yet in place.  The marketers have had my own personal information for decades.  Prior to the invention of the World Wide Web, I was a member of several marketing panels.  I was even a Nielsen Family for a month.  I been a "sweepser" since you had to enter by mail.  So the marketers already HAVE most of my data, and they have had for eons.  Still, I went STRAIGHT to Facebook to ensure I disconnected my account, and I manually deleted browser cookies after researching this article.  They already HAVE my info, and these terms of service PETRIFY me!

  

Several of my friends have had their Facebook accounts "cloned" lately.  Without exception, these folks are rabid Quiz Result Sharers.  Scrolling through their timelines and noticing ALL the shared quizzes from a certain provider is what prompted me to research Nametests.com in the first place.

Now Nametests seems to invite "partnerships". They have a very nondescript contact form for those interested.  This is probably how they go viral.  They encourage embedding quizzes for broader data mining.  It also probably means they sell the information they collect pretty freely.

I'm pretty sure one of the reasons the website is so crappy is that no one comes directly there.  It appears they market their viral quizzes to bloggers looking to drive viral traffic to their sites.  The parent company's website looks like a job recruiting site.  I can find little information about the company, or what it actually does, other than what has already been discussed.    This has all the signs of a great, long con to me.

What Kind of Info am I Giving Up?

Sprinkled through this post are images of quizzes shared on Facebook timelines.  At the top of the page is an image with some current test subjects on it.  Different quizzes mine different types of data.  Most ask you a series of random questions to determine the type of car you drive or the color of your aura.  In isolation, these quizzes are harmless.  But what about when the questions and answers from "What City Should You Live In?", "Who Are Your Ideal Rock Band Mates?", and "What Job Should You Have, Based on Where You've Lived?" are all combined?   So each individual quiz only had one or two questions that mimic typical security questions, and one question useful for identity theft, what is the risk?  Well, when you pull the 2 questions from test A, the three from B, and so on, you now have a complete profile, possibly everything you need to get into iTunes or Amazon.  Maybe those answers from the 7 tests combined give enough information to open a credit card in your name.

What is the Danger to my Friends?

You wanted to know who "Are Your Top Ten Friends," so you gave the quiz permission to scan your friends profiles, timelines, messages, and any and all interactions with you.  On the surface, this makes sense.  How can they determine your "Top 5 Friends to be Stranded on an Island With" if they do not scan your friends' posts.  Well, the flip side of that is you've now sold your friends' data and information along with your own.  So even if your friend is judicious about NEVER taking a quiz from a site like this, you've just blown that for them.  Yup...all those posts your friends shared with "friends only" have now been shared with the marketers as if they'd been public posts.

And all those children's photos everyone has been SO CAREFUL about NOT making public? They've just been shared with the marketers too, and with whomever else they want to sell them to. You agreed to nametests' terms of services when you took that test.  You gave them permission to do whatever they wanted to do with all this valuable information.

TL;DR (Too Long; Didn't Read)

The Privacy Policy at Nametests is one of the WORST I've seen for a privacy-conscious consumer. The Terms of Service make it clear that they exist to provide "fun" for users in exchange for the right to mine and sell their information.  And if you connect via Facebook or another Social Service, they have the right to mine those services for your data too. You are also allowing them to mine the data of anyone connected to you on that platform.  They reserve the right to use cookies, web beacons, remarketing pixels, etc. to follow you around the internet.  And they can follow you around on mobile too.  They can follow you around until you take the active steps to disconnect all social connections, and wipe all cookies and similar files from your browsers, tablets, and phones. And you're giving this permission to some "global network of freelancers."  There is practically NO information about who these freelancers are.  What is clear is that you are exchanging your personal data for a silly quiz whose results mean NOTHING.

If you took just the tests in the screenshots, you've given up a lot. AND they have all of your Facebook info. Add the answers to all the individual questions contained in each test together, and what have you got?  A pretty thorough Dossier. 

Would You Recommend Quizzes at Nametests?

That all depends on if you are looking at things from a user perspective or not.  Although I did NOT inquire about a "partnership," if you are looking to mine others' data for your own purposes, Nametests may be a good option.  Their quizzes certainly are viral, and users give up a whole lot of permissions when they participate.  This means data for you.

If you are a user or a parent, I'd recommend you stay FAR away!  As I said, I've already wiped all traces of my Nametests research from my own system.    If you are a parent, make sure your children DO NOT take these types of quizzes.  Children have the luxury of protecting their information from the minute they click a mouse for the first time.  There have been a slew of laws passed in the last decade, just to protect minors' personal data.  However, "misuse" of data implies disrespect for such protections.  You cannot trust the bad guys to do the right thing ever. 

Is "Facebook Connect" Ever Safe?

Yes.  Facebook connect can be very safe and very handy.  SO MANY sites have gone to using Facebook log-ins for commenting to cut down on anonymous hate and trolling.    Requiring SOME sort of log-in to comment helps keep the comment sections higher quality.  However, you need to be judicious about which sites you are connecting to, as well as the permissions they seek.

You must give permission to "Post as Me" if you want to use the "share" function on ANY website or app.  It cannot share as you if it cannot post as you.  If you are not sharing or posting, be careful of giving that permission.  If you are just logging in or providing an address for a sample, something should NOT need to post as you.  

If a site or app asks permission to scan your friends list and/or posts, etc., be careful.  If it is a contest app that will earn you entries for referrals, it may need to scan your friends list to issue invites.  It should NOT need to scan their posts, timelines, or messages though.  Always think twice before giving permission to do that.

When in doubt, copy the url to which a link leads and google it.  Check that site's or app's own TOS and Privacy Policies.  We've gone over what to look for at two different data mining sites.  Use this information and be aware of the implications of connecting with Facebook.  If the permissions seem sketchy, click "deny" or close the window.

Do Legitimate Quiz Sites Exist?

This series all started with a quest to find a Quiz Site that folks could use to help market their own sites. Fun activities can draw traffic, and they can encourage folks to share.  The good news is that I DID find a couple of decent sites.  I now need to actually create on these sites so that I can adequately review them.   Stay tuned to this blog.  The series will continue with a review of these sites, as well as signs that separate the good from the info miners.  (You can follow us on Facebook or Twitter to be notified when these articles are published, or use your favorite reader to subscribe to our RSS Feed. )

Summary

Always think about what drives a site before giving them any information.  This includes creating an account or connecting socially.  Understand that "fun" often comes with a price, and on the internet, that price is often YOUR information.  Watch how much you give away and to whom.  Look at terms of services before proceeding.  Decide how much information you are willing to give up.  If anything seems to be asking for data NOT easily accessible in Public Databases, think twice about giving it.  And if you're in the middle of a quiz, and you think you're saying too much, start lying.  Confuse the bad guys by making sure your quiz answers are completely useless.  

Other Quiz Sites?

Are there other Quiz Sites you'd like to see reviewed?  Are there Quiz Sites you'd consider safer than others?  Have any questions about what data they're collecting or why?  Hit us up in the comments, and let us know.