I received an innocent-looking email with the subject line, "Can I get your current contact information?" I looked at the sender's address. Nope, that name and domain name didn't ring a bell. Logic told me that I should delete any e-mail from an unknown source asking for contact information. However...

Since I write for various publications, I often get mail from unknown sources, including readers who want to follow up on an article I've written. So I gave my mystery email a chance and opened it up. It turns out it was a request from a Plaxo user, asking me to update my personal contact information in his database.

Delete.

Plaxo may be a helpful way for home users to keep track of contact information for their family members and friends. However, enterprise organisations are rightfully concerned about privacy issues, and they are telling their employees not to use Plaxo or other such services on the corporate network, and not to share company contact information.

Plaxo is a contact management application provided by the company of the same name. It is placed in the category of 'social networking' software, since two or more members of the service can easily keep up to date with each other. Similar services are offered by Orkut, Friendster and Ryze.

Uploading your private data
What enterprises find so offensive about Plaxo is that it automatically integrates with your Outlook address book and uploads the private contact data to a Plaxo server. The following statement, which is enough to give a privacy officer fits, is taken from the Plaxo Web site: "Plaxo 2.0 plugs directly in to Outlook or Outlook Express. Your existing contacts, calendar, tasks, and notes will be quickly backed up to the Plaxo Network and up-to-date - with no extra steps required! Not only will you have a secure backup of your vital information, you can access it from anywhere using Plaxo Online."

That sentence says a mouthful. All the names and private information in your Outlook contacts list can get sucked into this online service. You have no clue where that private data is going, or who has access to it. What's more, the people whose information has just been transferred have not given their consent to expose their personal data. This could (should) be a major breach of your company's data privacy policy.

Of course, Plaxo has a privacy policy under which it claims to protect privacy rights. Plaxo is most concerned about its members' privacy, but what of the privacy of the non-members whose data is now stored on their server? Again, from the Web site: "Although we will use every reasonable effort to preserve your privacy (and that of your contacts), we may need to disclose Your Information, including personally identifiable information, when required by law if we have a good-faith belief that such action is necessary to comply with a current judicial proceeding, a court order or legal process served on Plaxo and/or the Site (see "Government Authority" below for more information). We will notify you of such actions where reasonable and permitted by law." I'm starting to get uncomfortable...

As if that doesn't make you squeamish enough, here's what could happen if Plaxo Inc., is ever acquired or merges with another company. The privacy policy states: "In the event Plaxo goes through a business transition, such as a merger, acquisition or the sale of all or substantially all of its assets (a "Business Transition"), your membership in the Plaxo Network and the Plaxo servers containing Your Information will, in most instances, be part of the assets transferred. In such event, you will be notified via e-mail and/or through a notice on our Web site and any other appropriate methods prior to the Business Transition, and Plaxo's custody of Your Information will be transferred subject to all the terms and restrictions in this Privacy Policy.

A not-so-private Privacy Policy
"Following a Business Transition, Plaxo or its successors will continue to use Your Information in accordance with the Privacy Policy under which the information was collected. If, however, we plan to use Your Information in a manner different from that stated at the time of collection we will notify you via e-mail and/or through a notice on our Web site and any other appropriate methods. You will have a choice as to whether or not we use Your Information in this different manner. Whether or not you wish to have Your Information used in this different manner, you will retain ownership rights to Your Information and the ability to delete Your Information at any time. Please note, if you have deleted or deactivated your account with the Services or are an opt-out User, then you will not be contacted, nor will Your Information be used in this different manner."

Oh, man, your corporate privacy officer just had a cow over that statement. Any Plaxo user has just exposed his entire collection of contact names to the whims of the owners of the service.

If you haven't done so already, it's time to issue an alert to your employees that social networking services such as Plaxo and the others mentioned above are strictly prohibited on your corporate network. What's more, corporate data such as email addresses and telephone numbers must not be entered into the service. If these products are already in use, employees should stop using them immediately, inform the service that you wish to stop using it, and uninstall the software from company-owned PCs.

Data privacy is nothing to take lightly. While Plaxo may have good intentions, the service should not be trusted unless your company enters into a specific legally-binding contract that adheres to your corporate privacy policy.

Linda Musthaler ([email protected]) is vice president of Currid & Company.