Nextdoor neighborhood app sends letters on its users’ behalf

Credit to Author: Pieter Arntz| Date: Tue, 27 Aug 2019 16:35:31 +0000

Dutch police departments and consumer organizations issued warnings about the use of the Nextdoor neighborhood app because people received letters (yes, as in snail-mail) pretending to come from someone in their neighborhood, which the alleged senders did not send or deliver. So, everyone figured there must be some kind of scam going on and decided to warn the public.

Nextdoor is an app that you can use to stay informed about what’s going on in your neighborhood. It can be used to find last-minute babysitters, share safety tips, or simply communicate with neighbors. The app ties people together based on their location, so in this way, it is different from many other apps where people can form their own groups.

We talked to a woman whom we’ll refer to as W.H., as she wishes to remain anonymous. Letters in her neighborhood were delivered with her as the sender. The letters were asking the receivers to install the app and join the community. W.H. did not send those letters, but she was a user of the Nextdoor app. And she remembered receiving an email from Nextdoor asking whether she would like to invite the people in her neighborhood.

permission to invite neighbours

“Hi W.

Invite your neighbors to help grow your Nextdoor neighborhood. This are [sic] 100 extra invitations to send to your neighbors!

Click the button below and we will automatically and completely free of charge send 100 personalized invitations to your closest neighbors by mail.

The invitation will have your name and street on them and contain information about Nextdoor.

Kind regards,

Michel on behalf of Nextdoor Netherlands”

W.H. clicked the button expecting to get the option to select a number of her neighbors that she wanted to invite, but all she got was a notice that the link had expired. She didn’t think about it again until one of her neighbors showed her the letter they received and informed her about the warnings that had already started to circulate by then.

This is an example of the letter that was sent out in her name.

snail mail letter

“Howdy neighbor,

Our neighborhood uses the free and invitation-only neighborhood app Nextdoor. It is our hope that you will join as well. In this neighborhood app we share local tips and recommendations……

It is 100% free and invitation only – for our neighbors only.

Download the Nextdoor app ….. and enter this invitation code to sign up for our neighborhood.

(this code expires in 7 days)

Your neighbor from [redacted]”

In a blog where Nextdoor explains (in Dutch) how this invitation model came to be, they point out that when you first register with the app, it also asks for your permission to send out invitations to your neighbors. This may indicate that there are members who didn’t even get the email W.H. received to ask whether she wanted to invite 100 extra neighbors. So to these users, a query from their neighbors about the letter may come as an even bigger surprise.   

Privacy policy

One effect that the commotion about the letters has invoked is that the Nextdoor privacy policy was held against the light by consumer organizations. The Dutch “Consumentenbond” finds the policy leaves too much room for privacy infringements and expects it will be a tough battle in court for all those that feel let down or even betrayed by the company. W.H. let us know she finds the app useful and will continue to use it.

To be fair, we should expect an amount of targeted advertising when we sign up for free apps like these. It is important to remember that when it comes to free apps, there is a good possibility that you and your personal data are the commodities.

Not a scam, but…

Neighborhood apps are becoming more popular because people want to be more involved with their communities, and because they provide a feeling of enhanced security.

Although the method used by Nextdoor to reach new customers is questionable, we can’t deny that they did inform their customers and asked for their permission. However, sending out snail mail messages in someone’s name is a bit unorthodox, therefore should have been communicated much more clearly. This method has backfired for Nextdoor, due to negative media attention, and may have scared more customers away than they have gained.

From the reaction on their own blog, where they explain the how and why behind this method, we learned that Nextdoor intends to keep mailing out letters on its users behalf, which is another reason we felt we should raise awareness about this matter.

Like many other apps of this kind, Nextdoor gathers information about their customers and uses it for targeted marketing. Given the type of data—community information, locations, names—this is extremely valuable for marketing purposes, but could also be a security issue.

Sharing your information with people that live in your neighborhood, but that you really don’t know very well could have its drawbacks as well. We advise not to ask everyone to keep an eye out while you share your vacation plans. You may also be informing the resident burglar.

Stay vigilant, everyone!

The post Nextdoor neighborhood app sends letters on its users’ behalf appeared first on Malwarebytes Labs.

https://blog.malwarebytes.com/feed/