A long weekend after catching some bad PR (ZDNet) for selling user data to third party companies, reputation management startup Rapleaf now appears to be spamming the emails of long-ago registered users. It looks like a case study of what not to do from a company I've been hoping would prove a success.

Rapleaf's stated purpose is to serve as a cross-site system for tracking your reputation vis-à-vis interactions with other people around the web. It's like an Ebay reputation for the whole internet. It's a really interesting idea. It's also a business based on trust, a delicate matter in an emerging age of data portability.

To be fair, the site could have seen a huge influx of traffic, and thus real search queries, when the first bad news came out. It seems unlikely, though, that the 6 people who told me on Twitter that they also received emails from Rapleaf today were honestly searched-for in the past 2 days using this relatively obscure service. The company has also instituted some new email push features in the past week, though there's no mention of search subjects getting emailed on the company blog (come on guys). (It may be that all it takes to get an email from Rapleaf is for someone else who has you in their email contacts to try out the service. Small but very bad move on the company's part.)

If you've been following Facebook app development, for example, you know that the "when do I send a notification" question is one companies are wrestling with as much today as ever. Likewise, it's hip to ask users for their email usernames and passwords today - though it's not going to be the casual thing many companies are treating it as now for much longer. Emails are everywhere and many people are nervous. I don't see any public response to any of these questions and criticism by Rapleaf. Update: A couple of days later, Rapleaf has made a very long, thoughtful and encouraging post to their blog. Check it out.

The ZDNet story about selling data was so stirring that more than 5 readers braved the noxious ZDNet commenting requirements to reply. You want to talk about selling user data? Why do you think all these ZDNet/CNet blogs ask so much information when they require you to register to comment? If not to sell that data, then to "verify" the demographics of their readers to advertisers - or at least the handful of readers who comply. This ZDNet story is in fact one of the most reactionary pieces of trash I've read in awhile. Consumer control over data portability is great (see this, for example), but that kind of backlash against data portability all-together is just anti-innovation.

So the company was criticized last week for selling user data - but not email addresses - to third party companies. This, in and of itself, doesn't seem like a problem to me. I think that the monetization of aggregate, anonymous data is a powerful means of making money that I hope more companies will pursue in the future. Presuming, of course, that a legitimate marketplace emerges and there's parties other than pure scumbag companies to do the buying (subjective, I know.)

Update: after reading more about how the company works, marketers in fact come to them with email addresses and Rapleaf and allied companies fill in details about the people behind those addresses for more effective targeting. Any marketing company that buys more ads targeting me and my friends on Twitter than on MySpace, instead of just sending bulk spam into my Gmail spambox - that's a good step for a company to take, in my mind.

Data-mining can be a good thing. Twitter, for example, seems like a data-mining commodity just waiting to happen. If you're familiar with the UMBC project Twitterment, for example, that's a service I'd readily buy data from if it worked reliably. The serious problems experienced by all 3rd parties building on the Twitter API is another story, though, and one that threatens a pretty cool potential mini-economy imho. As someone who makes a living, in part, by being early in the news cycle - a system for putting a giant ear to the ground has value for me.

Nonetheless, data mining does have a bad name.

What do you do if you're Rapleaf in this situation? You do not send out scores of emails telling registered (non)users that "someone has searched for you on Rapleaf" with a link to click through to your profile. No one believes it. As a service whose value proposition to users is verification and trust - this email story is another PR crisis following the last one. I'm sure they know that.

Here's what I think they ought to do:

Institute OpenID login with a clear explanation that AIM screennames are sufficient and stop requiring people to register for a Rapleaf account in order to edit or delete their Rapleaf pages. (Good faith gesture towards the nerds and good policy.) Put a link on the top of every landing page from the emails sent out, linking to a post on the company's blog. Post to the blog an apology for being over-eager in who to contact and when. Email addresses fly all over the web all day long, but reputable business don't email those addresses unsolicited. Mea culpa. Then explain what Rapleaf does, why you have peoples' email addresses and what the value of the service is. Draw an explicit analogy to eBay and to Google. Make it short, enable comments to that post and reply to the comments with more comments. Do an Ask.com blogsearch (nearly spam free) for Rapleaf and privacy, sort by popularity and get to work apologizing for spam with a link to the blog post.

That's what they ought to do. Then they need to remake their reputation as the ultimate verification system and never abuse their access to emails again. Go ahead and keep selling the information that they are to marketers, they've created a unique tool to leverage data portability that I think is ok.

Good luck to us all in the stormy future that's now!