• Daily Visits
• Unique page views
• Promotion of a link by Twitter Delicious & Facebook (currently)
• The traffic you send by a specific channel

One True Fan Toolbar

The main interface for One True Fan currently is the toolbar.

Here you can see the toolbar on my screen just as I have become One True Fan of Techmeme – actually quite a hard challenge because Techmeme isn’t really a site with 100s of pages that you might normally browse.

You can gain more points by linking there, which I assume Louis has done a few times over the last couple of weeks as well as daily visits. I did manage to catch up though it is not something I could normally maintain as I don’t use Twitter.

The toolbar can get a little annoying – quite often I have forgotten to switch it off when taking screenshots, and for hardcore SEOs access to footer links can be impaired. Having to hide the toolbar on every page view when doing some work can be a pain, plus at times you are looking at lots of client sites which you might want to not permanently block, but turn off temporarily.
During the last month of alpha testing I even uninstalled the toolbar for a whole week due to these problems, and I know a few others have done the same. It is something that will hopefully be fixed soon.

One True Fan Profiles

The profiles provide a nice record of where you have been, which sites you have “captured” and which have fallen to your enemies or friends.

You can see I have been having a few small battles over various sites… well at least that is what some normal useage patterns can look like – I suppose if I was really “invested” in one of these sites then that would matter.

Being the One True Fan of Google will no doubt make a few readers LOL.

MyBlogLog Roots Empowering Marketers

3 years ago I explained why social media marketing sucks. I realise that monitoring of social media has improved a lot in the enterprise space over that time.

The team behind One True Fan are the original team members of MyBlogLog – all of them as far as I can tell. They have been off doing their own things for a few years. Eric was a co-founder of Gnip which is still doing well, but they are back to take another bite at the cherry.

MyBlogLog started off life as a tracking application – Eric wanted to see which links were popular on his blog. The widget came later as did the social graph, the collation of data etc.

I don’t think they have any plans with One True Fan to tackle content in quite the same way, though the questions I have asked have admitedly been focused on marketing features. I am a marketing geek after all.

Those still at Yahoo… please forgive me… I am going to refer to MyBlogLog in the past tense. There isn’t an indication what Yahoo will do with MyBlogLog.

One of the unique features of MyBlogLog was the ability of the widget to tell a site owner who was visiting. I am not referring to just looking at a widget, or an expanded list of the last 127 visitors that people played around with.

You could grab their user id as a javascript variable, and then use that to mine their social graph – only recently I discovered a WordPress plugin that works with that feature for some data mining, though it was a little bugged.

Big things are made about how Facebook is now expanding their special partnerships with a few sites to provide them with data about visitors before they have even logged in. MyBlogLog could do this 3 years ago, linked with lots of social graph information if a visitor included that on their profiles – you would also get a list of all their favorite blogs, and those in most cases were automatically added to after 5 or 10 visits.

You could also use the data to see what individuals were doing on your site, in some ways like expensive CRM systems such as Infusionsoft can tag people.
My friend Rob had a cool little tracking script that would log all the visitors to each page, so you could determine who were your biggest fans – I tested it for a little while. One day I was shocked to see one new visitor… a human not a bot read 52 pages of my blog in a single very long session – I think it was a Saturday and he just hung out reading.

You could also use the data to do all kinds of dynamic content targeting and data mining. In many ways Facebook are late to the game.

The problem is to actually use the MyBlogLog data there are some… issues

• You needed to be able to program and the API access had to be applied for on a per domain basis – not mass market.
• There were privacy concerns – if you started visibly profiling people and giving them rewards based on visits, and lots of people started doing it, there would have been a stink – this was the aftermath of the Facebook Beacon problems.

Tying similar technology into a toolbar of some kind makes sense because it is then installed specifically because people want their movement’s tracked to become the “One True Fan” or earn other rewards.

One True Fan Rewards

Things are a little vague on the rewards side – I have questioned Eric Marcoullier quite extensively about what will be possible, but you could really liken it more to a brain storming session than Eric explaining planned features.
There will be a way of delivering some kind of rewards – what criteria, how the delivery works etc we will have to leave for another day until things are a little more finalized. Things like coupon delivery in some way are a given, so are custom badges/patches.

Possible criteria:-

• Number of referrals (by some 2 way API integration or goals)
• Driving traffic
• Visiting certain pages
• Attaining a certain number of points
• Being One True Fan
• Visiting a certain number of times
• Visiting a certain number of consecutive days

A social media tell-a-friend rewards system on steroids.

Widgets

Apparently there is meant to be some widgets coming – I have no idea whether these might work with other platforms such as Facebook as an alternative for identity, but they are comimng all the same.

One True Fan Analytics Dashboard

One thing immediately “missing” is any kind of analytics, even as a toolbar user. If you are looking for click stats for links you share you are going to be disappointed for a while. You can get some idea from the number of points you gain.

Competitors

Badgeville – also launched at Techcrunch Disrupt – seems to be a white label solution for each brand site – mybe I am biased but I think it is the wrong solution for 99.9% of websites. They are a “solutions” provider for large sites, which means I am sure they are also charging a lot of money for implementation.

Chirrps – this seems like Entrecard 2.0 – despite having launched it is nowhere near the same level of sophistication.

Comment Luv – it might seem strange, but any incentive to visit other blogs, even if it is a just the ability to leave a comment is competition – in some ways even being a dofollow blog is an incentive as well – they have a referral program so I used a referral link.

Contest Burner – currently off the market but it is a WordPress plugin to run your own incentivized contests, rewarding things like tweets, comments, email subscriptions etc.

I don’t look on MyBlogLog or Blogcatalog to be competitors, as there isn’t really any competition for attention. One True Fan you gain points for visiting websites and promoting them which is complementary to other blogging and social media activities.

More details on Techcrunch, Louis Gray and Techmeme

For me it isn’t the game that excites me but the ability to identify those fans that are not immediately obvious.

I would be lying if I didn’t also appreciate the enhanced viral (incentivised) distribution of content.

Note: It is and Alpha version – for me, Beta starts around 90% feature complete for what should be there at public launch. Development is gong at an extremely rapid pace. Techcrunch reports $1.2M in the coffers but it was obvious there was going to be some significant investment with the number of early stage investors playing for the last few weeks.

I did a little test signup yesterday with a spare email account and received an email to signup within a few hours so signing up is worth doing – they are not going to keep you waiting forever.

Thus I am glad to see Twitter will switch off access to their API using standard authentication of username and password, and providing access only by OAuth.

For that I applaud the Twitter team for taking a positive step for online security.

Do As I Say, Not As I Do?

Twitter are still scraping friend information from email accounts.

It doesn’t matter what they claim they scrape, or that they claim to not store the information

• Not using OAuth is now totally hypocritical
• Twitter have been hacked in the past
• A few hundred million people giving up their email passwords is quite a valuable target

I realise Facebook only fixed their Friend Finding / Tell-A-Friend system after they purchased Octazen (and shut it down to new customers), but if Twitter expect their developers to use OAuth, the least they should do is use it themselves.

Update

Just saw this in Facebook – I know that Skype contacts are hardly the key to your online business like a Gmail account, but I thought they were finally past all this account scraping crap.

Facebook sucks for privacy again… well even more… well you know.

Now in the space of just a week I have been able to highlight a solution based upon one of my own blog posts that uses a slightly ghetto, but K.I.S.S method to achieve extremely effective viral tell-a-friend functionality, and now I want to mention another more sophisticated solution.

In my last post I mention that Stompernet currently have an offer to get their Stomping The Search Engines STSE2 SEO Course 100% Free with no credit card requirements.

Now if I am going to state that something is 100% free, I really want to be sure that there are no strings attached.

So I tested the signup procedure and created an account for my wife.

Stompernet Tell-A-Friend Process

As you can see, lots of import options, and whilst a few of them do require username/password, the most important business centric address for online marketers, Google, uses an API hosted by Google.

Remember, Google Account is Key To:-

• Gmail (Paypal, Domain registration, Hosting)
• Adwords
• Analytics
• Adsense
• Private Calendar

Entering your email and password into a form on a 3rd party site is a security liability.

Asking your customers to do it is a security liability for them, thus a business liability for you.

Stompernet are the first in the “Internet Marketing” niche that I am aware of to use a legitimate, safe process for gathering contacts for use with incentive based Tell-A-Friend, and do it better than Twitter, Facebook & LinkedIn.

Probably due to time constraints, one visible blooper is that they haven’t registered with Google (I am not sure of the procedure), and it might take a while to process.

Here is the email that gets sent to your friends.

It would be good if there was a way to edit it before sending

I Skipped Something

The observant will notice I skipped the import stage as I felt it wrong to crop the image, for impact. Whilst I am on a lot of email lists, and have a fair few contacts, I don’t think this situation is unusual.

This is going to be a usability issue with almost any primary email account used by an online marketer., unless they are ruthless with their email list pruning.
The more ghetto version doesn’t have this usability issue, because emails are filled out within the native email interface.

The script that Stompernet are using is Octazen which looks very capable, and they list lots of social networks among their customers. They also have a WordPress plugin though I am not sure of the capabilities – something I will be looking into myself.
I have no idea why so many sites still ask for passwords. Maybe they are using an old version of the script that doesn’t use the APIs for some reason.
I must admit that acted as a negative advert for them – I had been to the site previously, seen the logos for Twitter and LinkedIn – remembered how bad their systems were asking for Gmail passwords, and just ignored them.

Oh… that list of contacts – this rivalled John Reese’s 40 page Traffic Secrets sales letter… around 40 pages in this screenshot, though that only takes us up to letter “T” – my screengrab software was having problems with a file over 30,000 pixels high.

Gmail Imported Email Addresses

I am not sure what drove me to sign up as a JV partner with Dan, though the following factors almost certainly played a factor.

• Supreme confidence in the value of his product just oozes out of the videos he produces (there are lots of them)
• Lots of professional landing pages – it is obvious he has spent a lot of time working on them
• A great JV Opportunity but to be honest I would highlight this anyway… you will see why in a moment

Unobtrusive Marketing

I have spent a fair amount of time since I signed up with Dan chatting with him on Skype – his commitment to his JV partners is exceptional, but I am sure that has also lead to significant improvements in his sales funnel as affiliates give him direct feedback.

We have all seen various improvements to sales funnels over time, and a lot of what Dan is doing will seem very familiar. The overall design of the landing pages, the opt-in etc, but Dan has added a few of his own twists that take things to a new level.

What is special is that the things Dan has added are smart and unobtrusive, but still catch the eye and achieve the desired effect – many of them he has coded himself.

It is a rare thing for me to see something and immediately reach for Skype and ask “Where did you get that script from?”

Long Term Commitment To Success

I am going to swipe a small excerpt that Dan sent out in one of his JV emails – if you are a successful online marketer, this is the kind of email that might make you emotional, because you can almost see before you a guy that is just about to hit a home run.

******************************
1 Year In The Making!
******************************
Someone asked me the other day if I am starting to get excited, because launch is getting so close. I find it hard to put into words how excited i am getting. To give you an idea, I have been working on this project since September last year. 20 hours a week at first, then 50 – 60 hours a week for the last 9 months… and it finally feels like it’s within reach. So am I excited? What do you think?

The fact that I am so exited is only part of the contributing factor to me not sleeping at night. The other thing is the fact that I am on the other side of the world to pretty much everyone, and I spend hours on the phone. Amongst other things, I have spent ages on the phone making sure that I will be able to handle a huge launch in every respect.

The Personal Touch & Proof

There is nothing quite so powerful in establishing relationships with a JV partner than a personal greeting. The one I received from Dan was remarkable, not because of big promises of huge commissions, special access or anything else you might normally expect – the greeting I received was really personal, and at the same time provides me with something more valuable than even a $2000 boxed product… proof

I have been given permission to publish whatever I like, but here is just a small excerpt.

Thanks for coming onboard with TheBossBuster launch. Just thought I’d drop you a quick hello and welcome, and also let you know something that I learned from you that is going to make me a lot of money (and already has done alright for me).

Ok so that grabbed my attention but on its own isn’t much to go on, lets grab a few more snippets…

Originally I bought viral inviter, and was going to use that on my site. After ■■■■■■■, and ■■■■■■■, I went looking for another solution. What I found was a solution on your site, where you can just pass parameters to gmail, hotmail etc, and do effectively the same thing straight through them. This has a number of advantages over viral inviter (which I am sure you are aware of, so I won’t tell you how to suck eggs).

Yes I have ■ out some of this. I will quite happily criticise an application on specific technical issues that represent a risk to my readers, but I am not going to address other aspects that may be hearsay, or subject to specific circumstances.

But I digress…

So long story short, when I tested this with one of my affiliates, I made ■■■■■■■. I was also getting people to do some social networking referrals, but most of the extra was from the emails. The best bit about this is ■■■■■■■, so it doubled my income! Now I am rolling it out on this major launch, and I expect it will make me 6 figures!

I am keeping exact numbers confidential but suffice it to say most people would be able to live for an extra month on the additional income made on one relatively small test.

Now I can’t give you any specific reference, but a frequently quoted figure is that a Tell-A-Friend script, even some of the “viral” ones with features copying Facebook & Myspace rarely add more than 10-20% additional subscribers.

For a tell-a-friend implementation to double Dan’s income, and notice he was specifically tracking the emails compared to social media referrals, that is a huge revenue increase… from one of my blog posts.

Dan absolutely nailed the best possible way to encourage me to write something… providing me with some proof that helps me with any future product launch.

Tell-A-Friend Implementation

Dan didn’t just take an idea from my blog and implement it, he ran with it adding nuances that work so well, he doubled revenue.

Here is just a small part of his Tell-A-Friend page

This Tell-A-Friend implementation I endorse fully (though I did agree to disagree on a couple of details)

• No password is requested
• It is bullet-proof – it doesn’t even use APIs
• Email deliverability is most likely much higher than other solutions
• Emails are sent from a “natural environment” that the end user is familiar with
• Dan figured out a way to even add incentives that are delivered automatically
• The incentive system is multi-tier, rewarding people who refer more friends

Ultimately it is better than anything I have seen used by 6, 7 even 8 figure online marketers, and in many ways better than what is used by Facebook, Myspace and other social networks.

There are a whole load of other smart things he has added to the page that work very well, but I don’t want to spoil it for you for when you sign up to check things out.

It isn’t perfect (but pre-launch doesn’t officially start until Monday)

• The page needs a privacy statement
• A few trust marks could probably boost conversion even more
• I have encouraged Dan to change the way videos are being streamed, but more on that at a later date

Exit Strategy

This is what prompted me at 3am to immediately fire up Skype and contact Dan this morning (there are some advantages with him being in Australia)

• We have all seen corner-peel ads – they are effective to a degree
• We have seen automated “live support” robots on exit, which we all know are fake
• More recently the fashion has been to redirect to a new offer page, opt-in or other alternative, which is often confusing for me which button needs to be pressed to actually stay and read the damn things, I don’t know about anyone else.

What Dan has implemented is different… unique, apparently he coded it himself, and it was quite simple to do

It grabbed my attention as a geek, but I am sure it is something that would grab the attention of any audience, though it is something you would want to split-test extensively – it is something that can be split tested very effectively.

Just watch what happens on the page when you try to exit before opting in…

I am sure the code is very similar to a Page Peel, but the effect is quite different.

Video Use

Dan has made some great use of video in his prelaunch to JVs, keeping them informed on a regular basis. This is one thing I have strongly urged him to tweak however, but more on that at a later date.

I am not going to say he has done things better than others, but he has used video extremely well at every stage of the sales funnel that I have seen so far, and for regular JV updates.

JV Tools

Dan is quite proud of his JV Tools area that is pretty effective – plenty of preprepared emails and banners without the usual long confusing page. I can’t remember the last time I just used even part of someone else’s copy but that is just me. I tend to highlight things in a different way.

Smart Autoresponder Pages

This part isn’t quite unique, I know Big Jason Henderson sells a similar script, but it was very well implemented and no doubt increases email confirmation rates significantly as it is “smart” specific to each email service.

Product Fit For Your Audience?

Who knows, Dan is running a 2-tier affiliate program using Delavo which is fairly robust and has some interesting features in itself. I know lots of affiliates who love it.
The product is a little risqué for some territories, sports arbitrage, but Dan certainly seems to know what he is talking about, and the videos I have seen suggest he is an exceptional teacher – of course he provides a solid guarantee as well.

Apparently he has tested in multiple niches with some quite interesting results.

The Purpose Of This Post?

• Above all, I think Dan has been working his #$%^ off for months assembling this launch
• I love people taking action based upon my blog posts – Dan isn’t the only one who has seen remarkable success, but there is a danger in bragging about things like SEO. I want you to see Dan’s Sales Funnel
• I believe the product might be of interest to some of my audience.
• I love 2-tier affiliate programs and I know some of my readers are a great match. Sign up to JV with Dan

(Note: I will add in the links to the squeeze page on Monday, but you can navigate your way through easily enough – I wouldn’t want to be accused of emailing early for the launch)

Allow Twitter to Scrape Your Personal Information In Gmail

I have written extensively about the problems associated with Viral Tell-A-Friend systems. People are becoming careless with personal and business security, and soon adding an email and password to a box will be as common as handing over an email address… but with dire consequences.

My opinion, Techcrunch shouldn’t publish what they found in Twitter’s undie drawer… but only with the provision that they remove the hypocritical viral tell-a-friend, and encourage other startups to do the same… until they learn to use APIs correctly.

Dopplr manage  to use APIs for TAF without the massive funding, and Gigya seem to have some API support.

Let something good come of this, and get all major social sites to stop scraping 3rd party accounts as well.

This post is a year overdue – I have held back the material and refrained from pointing the finger for that period of time, but there is something I have noticed:-

If you don’t kick up a big stink, possibly including names, any advice just gets swept under the carpet.

I was on a very good webinar last night – Mike Filsaime and Anik Singal were highlighting all the mistakes that have been made with various “free offer” or “just pay shipping” offers.
This didn’t just cover mistakes that might have led to a poorer conversion, but also what has become known as upsell hell.

11 months ago after a number of prior warning posts I made the following statement.

Over the last few months I have already taken the decision not to promote a number of sites and services launched by Internet Marketers using these dangerous scripts.

I have proven I can rank highly in the SERPs for any product. It is going to help conversions when on the first page of the SERPs for your product name potential customers find…

Product Name – WARNING: SECURITY RISK – Read This First!
or
Product Name by Marketer Name – Warning: Security Risk

The only problem is, this won’t be a typical fake affiliate promotion, but a real warning

Note: I also provided a number of solutions within that post that don’t require a viral tell-a-friend to ask for a username & password.

Viral Hell – Prosecution Exhibit 1

Probably the most prominent viral tell-a-friend script is Viral Inviter, beta tested by Mike Filsaime for the launch of his Butterfly Reports site, and that site was used as “proof” of the effectiveness of the script within the launch of Viral Inviter, and on the sales page.

Here is what it looks like embedded inside Butterfly Reports (screenshot taken just a few hours ago)

How bad or insecure is it?

Here is a direct link to the framed form on the ButterflyReports.com site.

What could be tied to my Gmail account?

That is the key to unlocking:-

• Multiple Email Accounts
• Your Google Adsense Account
• Your Google Adwords Account
• Google Analytics
• Google Website Optimizer
• Your PayPal Account
• Affiliate program passwords
• Access Your Blogger account
• Access any scripts that allow you to resend or reset passwords
• Open any social media profile that used that email address
• Did you use that address for domain records? Wave goodbye to your domains

This isn’t a case of whether the script itself is secure, but the server

There is probably no such thing as an open-source content management or blog software project that hasn’t had at least one security vulnerability discovered within the last year.

It only takes WordPress or another popular script to be hacked, and rather than injecting a few links, any script, including a viral tell-a-friend could be modified to do something unintended.

This sin’t even about that specific script running on Mike’s server, but all the 100s or even 1000s of customers of Viral Inviter who might not have a team of programmers and security geeks working for them.

Also Butterfly Marketing has been customized to work with Viral Inviter out of the box.

Butterfly Marketing may or may not be as secure as WordPress, but just like with blog software, that doesn’t matter if you are not storing or asking people to input into forms highly sensitive data.

If a script/site gets hacked, you hopefully have at a minimum daily backups, and all that might be accessed are a few email addresses plus your content – annoying for customers but ultimately not a business liability for anyone.

If you run Viral Inviter with Butterfly Marketing, and something gets hacked, the most profitable exploit of your high traffic site is to grab Gmail username & passwords, especially if your site is targetted to novice online marketers.

Viral Hell – Prosecution Exhibit 2 – Twitter Scripts

As Twitter has become all the rage among marketers, especially how to create a viral “buzz” effect on product launches, or use it to build up a massive number of followers, marketers have looked for ways to encourage people to tweet about them.

The innocent methods are things like the retweet buttons you will see on my blog, or encoded retweet links.

Aside – have you noticed on recent product launches that the retweet links haven’t included affiliate links, thus are effectively “leaks” in a landing page for which an affiliate gains no benefit, unless they are offering huge bonuses to benefit from the buzz?

The more nefarious solutions are the “free” scripts that you can receive just by tweeting about them, install on your server, and then use to offer small incentives to tweet about your upcoming product launch.

The most popular early solution was Viral Tweets and I have seen tons of otherwise very respectable marketers use this script or a variation of it as an incentive to gain viral exposure.

Just like with Tell-A-Friend scripts that ask for your gmail account, the danger isn’t necessarily with the Tell-A-Friend script, but hosting it on a server which might be insecure in other ways.

A twitter account isn’t anywhere near as valuable as a primary email address with password, and accounts taken over can possibly be recovered with the help of the Twitter engineers and support.

But…

• Why subject potential customers to something that might be a security hazzard?
• If you are a respected marketing guru, isn’t it your responsibility to promote best practice, especially as whatever tactics you do use in your campaigns will be mimiced by others, often with less precautions such as server security and audits.
• Some implementations might be scraping off the cream that your afiliates have earned.

Viral Hell – Prosecution Exhibit 3 – Twitter Pyramid Scripts

If you missed being exposed to TweeterGetter on Twitter you were among the lucky ones.

The true “viral” effect lasted less than a weekend, and from then on, the viral exponent (a term I learned from Mike Filsaime’s Butterfly Report) was less than 1.00.

The headline claim was for users to achieve “19,530 followers”, a target only just achieved by the site creator within the 30 days – from memory he reached that number after 27 days.

Now in this case the “viral hell” isn’t for the users of the site, though there have been a number of individual Twitter applications where it was suggested the account details were being abused. As far as I am aware the script isn’t being sold (though it might be a backend offer), thus there is only one potential vulnerability.

The “viral hell” is for the readers. After the first week the only people tweeting links were:-

• Spam accounts
• Desperate newbies
• Otherwise automated accounts

I am sure some people still abuse their email lists in this way, but it certainly isn’t the pinnacle of marketing excellence.

Viral Hell – Prosecution Exhibit 4 – Twiveaway

About a month ago Brad Callen, a marketer I generally respect and whose products I have purchased (e.g. SEO Elite many moons ago) released a new script/service for Twitter giveaways.
I contacted him directly, and suggested ways to improve it, and that requiring passwords was not only a security vulnerability, but for giveaways it isn’t actually something that is needed.

Requiring a password for a 3rd party service is FRICTION – much more than an email address

It looks like a month later, the scripts out in the wild, such as used by Launch Tree, still require passwords.
It is highly possible that Anik actually has a beta version of the script, and that Brad is generally only providing this as “software as a service” to most users.

I expected much better

Danny Sullivan I think coined the phrase “craphat SEO” for the SEO tactics that exploit vulnerabilities such as link injection in blogs.

Jeff at Coding Horror described this kind of programming as:-

Email is the de-facto master password for a huge swath of your online identity. Tread carefully:

* As a software developer, you should never ask a user for their email credentials. It’s unethical. It’s irresponsible. It is wrong. If someone is asking you to code this, why? For what purpose?
* As a user, you should never provide your email credentials to anyone except your email service. Sites that ask you for this information are to be regarded with extreme suspicion if not outright distrust.

But it in many ways is worse, because this script from Brad doesn’t even provide any real protection, or that is the case from examples I have seen.

e.g. You can get a Twiveaway account here without using their forced retweet form, and I accessed that just looking at the form source code.

Viral Hell – Prosecution Exhibit 5 – Launch Tree

Launch Tree already have retweet links in various places, including on the main landing page. In theory, the majority of traffic to the site is landing there, and giving an email address to get access to free content.

Now as an additional barrier, for what might be one of the hottest videos with Andy Jenkins, they also require you to tweet about it.

These guys run companies making $10M+ a year, yet they are using Brad’s craphat software, and asking people for passwords to their Twitter accounts.

I am not worried about them collecting passwords, not even a huge amount with server security (well at least I hope they have that buttoned down).

The biggest problem is their position in the industry and endorsing this method as acceptable.

There is a reason on the TV they use a phrase

“Don’t try this at home kids”

I don’t endorse Google, Linkedin, Facebook et al scraping email accounts for viral marketing, but lets face it, they can do a better job with server security than the average internet marketer, and even then it is only one security vector being attacked.

A good implementation – maybe take a look at the way Dopplr uses APIs – just a small startup with a little funding, much less than the income from one major product launch.

Launch Tree

I still think Launch Tree is a highly valuable product for any marketer looking to promote a product and optimize their conversions and ultimate launch profitability.

Maybe even more so because of these issues raised, because it provides a central knowledgebse of what works, and what is acceptable. Such as one of Mike’s launches mentioned last might where even if someone only wanted the initial offer, and none of the upsells/downsells, it would take them 37 minutes to actually finish their order… real upsell hell that Mike learned from.

How good is the free material being provided during the Launch Tree launch?

Exceptional

As an example after the Brian Johnson interview (where they only revealed part of the launch details) I decided that I needed some notes, both to aid my long-term learning by writing things down in some way, and as an aid to actually understand what was being said.

So I put together a detailed process map, with all the numbers, and I was going to use it as some kind of squeeze page or purchase incentive.

I have decided to release this right here, for free, with no obligation for anything.

I have linked this one image as an attachment, so click the image, or here to get a full size version.

I created that using Xmind, and if this post reaches 100 retweets I will release the source file so you can edit it for your own personal use.

That is another important factor – I am sick of products that include mindmaps and process maps that don’t include files that can be edited. Procedures change, or get customized. A file that can be edited is worth 5x more, even if just for personal use.

No Passwords Link

So the newest video is Andy Jenkins being interviewed about their Stomping The Search Engines 2 launch, which made millions by giving away a high ticket SEO training course, just for the cost of shipping.

It is a very good course, and has just been rereleased, you can get it for $1, immediate online access. (but be quick, I don’t expect the offer to remain open forever)

STSE2 with this offer is probably the best value SEO training from an authority source currently online, though be warned, there is an attached continuity to the offer – the very upfront “ethical bribe” to try out their “Net Effect”

With Launch Tree, I honestly don’t feel comfortable sending you to a site which is asking you for Twitter passwords – it is that “ethical streak” in me, part genetic, part top grammar school education.

Fortunately as I have mentioned Brad’s script is easy to bypass.

Click Here For Andy Jenkins Launch Tree Interview

Direct Link (no password)

Now whilst some might look on this as me bypassing security, before posting this I did make sure the page was indexed in Google already, without any help from me.

Also it is set up as a landing page, and I am using Anik’s smart affiliate system which supports deep linking.

Anyone can make a mistake, release a product without considering all the possible ramifications, but to release Opt-in Accelerator again without major changes is irresponsible.

The Irresponsible Viral Tell-A-Friend Trio

So far there have been 3 such scripts I have written about, and there is a 4th “coming soon”

• My first coverage of Opt-in Accelerator
• Then there was Viral Optin Generator which may well have been a private label or resale rights product
• Viral Inviter is launching soon – last I saw of this script installed “out in the wild” it was a security risk
• There is another one I know about, TrafficXplode 2.0 which also features the same security risks

Relook @ Opt-In Accelerator

You see that big red circle I added?

That is the key to unlocking:-

• Your Email
• Your Google Adsense Account
• Your Google Adwords Account
• Google Analytics
• Google Website Optimizer
• Your PayPal Account
• Affiliate program passwords
• Access Your Blogger account
• Access any scripts that allow you to resend or reset passwords
• Open any social media profile that used that email address
• Did you use that address for domain records? Wave goodbye to your domains

I am not claiming that anyone creating such as script is dishonest, or even the people who might use them, but it takes a huge investment of manpower and financial muscle to keep personal data secure, and those are things most internet marketers don’t have.

All it takes is a script kiddie to come along and compromise the script running on your server, and then rather than acting as an “innocent” tell-a-friend script to boost your email subscribers, it would collect login and password information and forward it to an anonymous server.

All it would take is 2 lines of additional code

We will ignore many of the other potential problems with scraping the email services against their terms of service, potentially breaking the terms of the autoresponder service you use, or totally trashing your email deliverability as 100s of people flag your messages as spam.

I think Robert Plank covered that aspect of Opt-in Accelerator quite adequately.

Solutions

Password data should never be entered in an insecure form hosted by someone without exceptional security in place.

Very Simple Mail To:

This example from Plurk (they also use the insecure method, and have been accused of spam with their Facebook implementation)

http://mail.google.com/mail/?view=cm&cmid=0&fs=1&su=Invitation+to+Plurk.com&body=I+have+been+using+Plurk+and+I+think+you+should+check+it+out%21%0A%0AAccept+my+invitation+by+going+to%3A%0Ahttp%3A%2F%2Fplurk.com%2FredeemByURL%3Ffrom_uid%3D15547%26check%3D-1998160234%26s%3D2%0A%0ACheck+out+my+profile+at%3A%0Ahttp%3A%2F%2Fwww.plurk.com%2Fuser%2Fandybeard%0A%0APlurk.com+-+Your+life%2C+on+the+line&tearoff=1&shva=1&ui=1

http://compose.mail.yahoo.com/?Subj=Invitation+to+Plurk.com&Body=I+have+been+using+Plurk+and+I+think+you+should+check+it+out%21+Accept+my+invitation+by+going+to%3A+http%3A%2F%2Fplurk.com%2FredeemByURL%3Ffrom_uid%3D15547%26check%3D-1998160234%26s%3D2.+Check+out+my+profile+by+going+to%3A+http%3A%2F%2Fwww.plurk.com%2Fuser%2Fandybeard

http://www.hotmail.msn.com/secure/start?action=compose&subject=Invitation+to+Plurk.com&body=I+have+been+using+Plurk+and+I+think+you+should+check+it+out%21%0A%0AAccept+my+invitation+by+going+to%3A%0Ahttp%3A%2F%2Fplurk.com%2FredeemByURL%3Ffrom_uid%3D15547%26check%3D-1998160234%26s%3D2%0A%0ACheck+out+my+profile+at%3A%0Ahttp%3A%2F%2Fwww.plurk.com%2Fuser%2Fandybeard%0A%0APlurk.com+-+Your+life%2C+on+the+line

This code is wonderful because people use their own email server to send the emails, no strain on your servers, so it could be used on any server, even a shared account which has limitations on how many emails you can send per hour.

Existing APIs

Google Yahoo and Microsoft also have APIs for this kind of stuff which can also be used for finding friends.

Google Contacts API
Yahoo! Contact API
Windows Live Contact API

I should also mention the ongoing Oath efforts being made to create a unified interface for retrieving contact and other personal information with permission.

To be fair, I am going to give Jason a link with some partial counter arguments. He seems to think it is worth the risk.

The problem with that argument is that there is no need for this to be a security risk. It is just junk programming.

Email is the de-facto master password for a huge swath of your online identity. Tread carefully:

* As a software developer, you should never ask a user for their email credentials. It’s unethical. It’s irresponsible. It is wrong. If someone is asking you to code this, why? For what purpose?
* As a user, you should never provide your email credentials to anyone except your email service. Sites that ask you for this information are to be regarded with extreme suspicion if not outright distrust.

This is the same terrible system used by many large social networks, and 2 scripts I recently strongly advised internet marketers not to use.

• Optin Accelerator – due to be relaunched soon
• Then there was Viral Optin Generator
• Coming soon is Viral Inviter which has some redeeming qualities, it works with old address books from Outlook etc, but it is still asking for highly personal passwords, and there are some other security faults.

Viral Inviter, with even heavier marketing and endorsements, will have a huge long-term negative effect on email marketing, with the rewards quickly being overtaken by a backlash of negative sentiment and poorer email delivery which will be universal.

Plurk which has very recently become very popular also suffers from this evil invite and finding friends method, but at least has a redeeming feature.

http://mail.google.com/mail/?view=cm&cmid=0&fs=1&su=Invitation+to+Plurk.com&body=I+have+been+using+Plurk+and+I+think+you+should+check+it+out%21%0A%0AAccept+my+invitation+by+going+to%3A%0Ahttp%3A%2F%2Fplurk.com%2FredeemByURL%3Ffrom_uid%3D15547%26check%3D-1998160234%26s%3D2%0A%0ACheck+out+my+profile+at%3A%0Ahttp%3A%2F%2Fwww.plurk.com%2Fuser%2Fandybeard%0A%0APlurk.com+-+Your+life%2C+on+the+line&tearoff=1&shva=1&ui=1

http://compose.mail.yahoo.com/?Subj=Invitation+to+Plurk.com&Body=I+have+been+using+Plurk+and+I+think+you+should+check+it+out%21+Accept+my+invitation+by+going+to%3A+http%3A%2F%2Fplurk.com%2FredeemByURL%3Ffrom_uid%3D15547%26check%3D-1998160234%26s%3D2.+Check+out+my+profile+by+going+to%3A+http%3A%2F%2Fwww.plurk.com%2Fuser%2Fandybeard

http://www.hotmail.msn.com/secure/start?action=compose&subject=Invitation+to+Plurk.com&body=I+have+been+using+Plurk+and+I+think+you+should+check+it+out%21%0A%0AAccept+my+invitation+by+going+to%3A%0Ahttp%3A%2F%2Fplurk.com%2FredeemByURL%3Ffrom_uid%3D15547%26check%3D-1998160234%26s%3D2%0A%0ACheck+out+my+profile+at%3A%0Ahttp%3A%2F%2Fwww.plurk.com%2Fuser%2Fandybeard%0A%0APlurk.com+-+Your+life%2C+on+the+line

That first line for instance brings up an invite email inside Gmail, no need to scrape Gmail contacts, and then you can use Gmail’s own address book to access contacts.

They also use Facebook

Existing APIs

Google Yahoo and Microsoft also have APIs for this kind of stuff which can also be used for finding friends.

Google Contacts API
Yahoo! Contact API
Windows Live Contact API

Over the last few months I have already taken the decision not to promote a number of sites and services launched by Internet Marketers using these dangerous scripts.

I have proven I can rank highly in the SERPs for any product. It is going to help conversions when on the first page of the SERPs for your product name potential customers find…

Product Name – WARNING: SECURITY RISK – Read This First!
or
Product Name by Marketer Name – Warning: Security Risk

The only problem is, this won’t be a typical fake affiliate promotion, but a real warning

Update

Tim has provided the code so that anyone who buys one of these viral tell a friend scripts can easily modify it so that it stores all the personal data entered in a form. It would take a typical script kiddie less than 2 minutes.

Doing it on someone else’s server is a little more work, plus they would need to get access, but how many people really think their websites running 3rd party scripts are totally secure.

Tim points out Paypal… how many marketers use Gmail for Paypal access, along with their Adwords, Adsense, Domain registrations etc. I know I do, because I trust Google with the data more than I trust my ISP – plus it would be a thankless task changing everything if you changed ISP.

Marketers are the perfect target

• Running lots of 3rd party scripts on a site
• Often running outdated versions of WordPress
• Have multiple sites on the same server
• Have a “set and forget” mentality

http://www.viraloptingenerator.com/index.php

This script is different to Optin Accelerator in a number of ways

• The script is hosted 100% on your server
• No subscription fee
• It doesn’t “send home” any date, so it is 100% your responsibility

In theory that makes it almost exactly the same as the scripts used by the big boys of Web2.0 though their servers are less likely to conk out the first time someone with 200 contacts in Gmail uses the script if you are on shared or even most reseller hosting. You would probably have problems on most virtual servers as well.
I don’t know if the service can be configured to use a 3rd party SMTP, whether it uses sendmail, phpmailer, or swiftmailer.

If you are a smart programmer, picking this up might give you a few ideas, but remember

• It is still against the published ToS of Aweber
• You are still encouraging people to do something that is unsafe if running an internet business
• Legal liability – it is you sending the emails – in some ways I would be worried about the claims on the sales letter that it doesn’t keep a record – if you are sending emails there is always a record somewhere, though you are best advised to keep a record of every email you send anywhere.
• The script needs to be maintained for updates – maybe it will be updated over time, but best to allow for programming time to keep it working.
• The Plaxo option is free, and maybe safer

I have thought a little more about the suggestion Aweber make about forwarding emails – that is actually unsafe for most email lists, because many readers will also forward unsubscription information. What happens if they forward it when you are price testing? Forwarding effectively encourages public posting.
Maybe it is better to mail the person sending when they use a standard TAF with a letter encouraging they forward that to friends and also the message that goes to their friends.

It is still TAF though, so check with your email service provider.

• It took a long time for internet marketers to copy the viral signup mechanisms used by many internet startups, including the more established Facebook, LinkedIn, Myspace etc.
• It is a massive business security risk
• People are going to buy it and use it and their customers are going to face the risk
• Some of my subscribers might damage their business either by using it for one of their sites, or giving their account access away.

Now I hoped that as soon as people realised it was a bad idea despite having massive viral potential, the product would be pulled.

Currently it looks like the site has been closed – I have high regards for Reed Floren and Matt Haslem who launched it, so I am assuming it is off the market.

That being said, I have seen a few people using it still – if it is just limited circulation, some people need to be a little careful.

So where did they go wrong?

What Did Optin Accelerator Do?

Quite simply you hand over your login information to your primary email account, and it scrapes addresses so you can send an email to all your friends about a new service you have found, or product.
Yes… exactly the same process as is used by many Web2.0 sites, but you don’t have to worry about the technical details of how things work, because the script is on their servers, and calls home.

This means that your subscribers are sharing their personal login information to their email account with a 3rd party just to promote your product.
The big guys are generally using 1st party scripting, still risky but at least you know who has your data (I would never use it though)

Robert Plank has gone into that aspect of Optin Accelerator in some depth

Here is part of the comment I left on his blog post

Google has unified login, so does Yahoo and MSN.

By handing over login information, you are hading over not only your email (which could be full of important passwords for affiliate accounts) but also providing access to Adsense, Adwords, Google Analytics, Google AppEngine (if you are a geek)

It would also allow someone to reset every password you have which sends resent information to your emil, such as all your wordpress blogs, hosting etc.

Handing over this information is throwing your whole internet business into turmoil.

Would you want to encourage your own subscribers to do that?

Robert has actually gone through all the terms of service of each of the large online email services, and it seems handing over your account details is breaking their terms and conditions. How the hell do the big guys get away with such a security risk?

If that isn’t bad enough, it has been determined

• It is against Aweber’s terms of service (as are all tell-a-friend scripts) – that being said, I know people who use tell-a-friend scripts who primarily use Aweber – I have no idea how they get away with that.
  A guy in Robert’s comments (Craig) posted a response from Aweber

  Thank you very mush for bringing this to our attention. We have taken action to contact the owners of that product.

  Please understand that this was done without our consent, and will be fully addressed. We take many steps here to ensure your deliverability, including monitoring the use of customer accounts, so that even should someone use this type of program without our consent, we would remove them from the service.

  Thank you again for bringing this to light. If you have any questions at all, please feel free to let me know.

  Regards,
  Tracey Churray
  Director Of Customer Solutions

• Most hosting affiliates use would have problems handling the emails being sent, unless they are using SMTP through Gmail for instance
• If it is a really good product, shouldn’t you be promoting it as an affiliate?
• Melody from Women’s Net also mentioned the possibility of liability
• Plaxo provide fwidget for free that could be integrated to achieve effectively the same – that is slightly less risky (suggested by David L. Cross)
• Randolf Smith goes into the nature of email address books (all those friends and family) – how many are really interested in a specific product? Also as an affiliate, why would you promote something for free? At least Tell-A-Friend scripts often pass on your affiliate links, but that only works down one level – if it is really good, isn’t promoting to your list or blog readers better?

People You Know vs Sending Email

If you are going to use one of these scripts, it is much better to use the export and import contact list options often provided.
If there isn’t anything provided, you can also create a new email account just for importing contacts which has no private information.

I can see a real reason to find people you already know on a service – maybe services should be using the MyBlogLog API in a smart way.

If your service encourages every person who joins to send out 100s of emails, it becomes spam even if it technically isn’t if they are personal contacts, and you are doing it in a non-professional capacity.