Tom's Blog
Legitimate businesses selling out to spammers
Published by Tom |
October 29, 2006 10:35 PM EST |
Like most tech geeks,
I own multiple domain names and dozens of email addresses.
I have configured many of my email servers with "catch-all" or wild-card
forwards that allow mail sent to any address at a particular domain
to be delivered to a particular inbox.
One of my uses for this setup is to allow me to use unique email addresses
when I give out my email address to online businesses.
Doing so allows me to filter incoming email,
immediately gauge the priority of email,
and track if my email addresses leak
beyond the online company with which I originally shared it.
With two notable exceptions, email addresses I have given out to companies end up being used by them only for legitimate business communications. The two recent exceptions: Addison-Wesley and Lands' End. Spam is making email less and less useful each passing month as hundreds or even thousands of spam messages flood my inboxes daily. I always thought of the people who sell or trade email addresses for spam use were faceless individuals operating from their living rooms, not major companies like Addison-Wesley and Lands' End or their affiliates.
With Addison-Wesley, I signed up for an email list several years ago for announcements of new technology titles. For a while, I received emails from Addison-Wesley every month or so announcing its latest technology books. The mailing list was low-volume and useful.
I no longer receive announcements of new books from Addison-Wesley. But the email address I gave them is now used by spammers several times a day to send me unsolicited commercial email messages. Here are some headers to a spam email I received tonight advertising "Cheap Vl x AG x RA"
Return-Path: <olmedaa@iskiv.net>
Received: from iskiv.net (lns-bzn-22-82-249-89-146.adsl.proxad.net [82.249.89.146])
by [my email server] with SMTP id k9T7mmeJ029902
for <awbookalert@[my domain]>; Sun, 29 Oct 2006 07:48:54 GMT
Reply-To: "Romano Wischmeier"
From: "Romano Wischmeier"
To: awbookalert@[my domain]
Subject: Re: 693
Now,
with an email address like "awbookalert,"
you figure no spammer stumbled onto this address by guessing.
More likely,
the spammer purchased the address from someone who stole it
from Addison-Wesley's computers,
or Addison-Wesley gave it away or sold my email address for use by spammers.
I consider it unlikely this email address was stolen from
my computers because I use several "alias" email addresses
and have had a problem only with this one I gave to Addison-Wesley.
I checked Addison-Wesley's privacy policy to see if they protect email addresses as private information. You know what? They don't. Addison-Wesley treats as private "your name, address, phone number, date of birth, job, personal interests, and credit card information," but your email address is not covered by Addison-Wesley's privacy policy. Addison-Wesley, and parent company Pearson Education, should be ashamed to have a privacy policy like this where email addresses are not held in confidence.
Another company contributing to spam is Lands' End. My wife ordered clothing a few weeks ago online from Lands' End, again using an email address unique to this one transaction. Lands' End sent two emails to this address: an order confirmation and a shipping notice.
Last week, though, she received an email sent to this unique address from a company advertising self-confidence books. Her thought was Lands' End either suffered a computer security breach, and the thieves sold her email address to spammers, or this publishing company is affiliated with Lands' End. Lands' End's privacy policy acknowledges the company shares private information with business partners. My wife called Lands' End to find out how this publishing company obtained her email address.
The Lands' End customer-service representative my wife spoke with assured her the publishing company is not affiliated with Lands' End, and that Lands' End experienced no data security breach. The spam must have originated, she said, by someone breaking into her ISP's email server and stealing that address.
Yeah. Uh huh. Someone broke into an email server and stole a solitary email address. These thieves overlooked the dozens of other email aliases on her server and focused solely on this one email address she shared with Lands' End. (Her email server is different from mine, by the way, eliminating the possibility that a single server was the source for both these email addresses picked up by the spammers.)
If Lands' End's computers were not broken into, it seems likely one of its business partners is using email addresses in ways not sanctioned (or at least acknowledged) by Lands' End. A possible partner could be Coremetrics, a company that provides website analytics for Lands' End. Lands' End says they share website information with Coremetrics, but the "data that they collect for us [cannot be used] for any other purpose." Interestingly, the self-help publisher who sent my wife the spam also is a Coremetrics customer.
I don't want to cast aspersions on Coremetrics. They have many online retail customers. What I want to ask Lands' End is which is more likely:
- Hackers broke into two of our ISP's email servers and stole one email address from each?
- One of your business partners is violating the confidentiality of your customer information?
- A hacker broke into your computer system and stole information?
If companies don't want to suffer black eyes when the public discovers how casually or carelessly they treat their customers' information, they need to start treating data privacy more seriously. The alternative, they will find, is that Congress will receive enough pressure from Americans so fed up with spam and identify theft that they will tighten data-privacy laws to make it a criminal offense when what should be private data leaks from their computer systems. When the first CEO goes to jail for contributing to spam or identity theft because the company treated customer data carelessly, perhaps that's when we'll see companies treat customer data with more seriousness and care.
Sunday October 29, 2006 Permalink
Comments [3]
Comments:
Wow, pretty lofty comments there, but I'm not seeing much for fact. I am a Lands' End customer as well and I highly doubt they are as ignorant as you make them out to be. Especially since when I read their privacy policy (via your link no less), my takeaway is that they do not share any information from orders placed online. If I'm not mistaken, you said your wife placed her order via their website. Probably can't be proven one way or the other as to why you received a single piece of spam, but to make the comment that Lands' End is a "company contributing to spam" is a little far-fetched. Facts please, then maybe something can be taken seriously.
Regards.
Regards.
Posted by John Hoover on October 31, 2006 at 02:40 PM EST #
Thank you for your comment, John. Yes, Lands' End's privacy statement assures they will "absolutely" not share your data as a result of placing an online order. I applaud Lands' End for its stated respect for personal data and for detailing the specific privacy differences between ordering online and ordering by phone. The privacy statement is in keeping with Lands' End reputation for quality and customer service. The issue is not the strength of the privacy promise, rather, the issue is the company's compliance with the principles of its privacy policy.
A unique email was given during an order on their secure website. They sent two emails: confirmation and shipping. The next email sent to that address was unsolicited and came from a Coremetrics' client. Lands' End contracts with Coremetrics for website functions, as stated in its privacy policy. Coremetrics is contractually obligated to maintain "strict confidence" with customer data. My wife, Renee, called to find out if the unsolicited email was sent from a Lands' End affiliated business, an explicitly approved practice in Lands' End privacy policy, and to opt out if possible. First, the Lands' End rep. told Renee that her name and address used for that online transaction were on the company's list to be sold to non-affiliated companies. Selling her name and address would conflict with Lands' End stated privacy policy for online transactions, which guarantees no data to be sold to non-affiliates. Next, Renee was transferred to the online division for assistance with the email address status. The rep. there assured her the other Coremetric client sending the email was not an affiliate of Lands' End. The common thread of two Coremetrics' clients having possession of and using the same unique email address seemed enough reason to alert Lands' End to the potential misuse of the private data.
Disappointedly, Lands' End said there was absolutely no possibility the unique email address Renee gave them got into the hands of the other Coremetrics client through Lands' Ends' actions or those of its affiliates. If the email address had been used for other purposes, or had received other spam, it would be a less compelling case. Lands' End resisted the request to investigate how its affiliated companies might have used the email address. The rep. just said Lands' End bears no responsibility for Renee's email address being used by other businenesses because "spam happens" as an inherent risk for all consumers doing business online.
The particular circumstances of this matter point to the possibility that Lands' End's privacy policy might have been violated. Yet the Lands' End rep. said the company has no interest in investigating the potential misuse of consumer data by them or by their contractual partners. Their response and lack of any way to report possible violations of the privacy policy undermine the enforcement strength of that policy. Privacy policies will be little more than empty promises without a commitment by companies not to pass the buck when the policy could have been violated.
A unique email was given during an order on their secure website. They sent two emails: confirmation and shipping. The next email sent to that address was unsolicited and came from a Coremetrics' client. Lands' End contracts with Coremetrics for website functions, as stated in its privacy policy. Coremetrics is contractually obligated to maintain "strict confidence" with customer data. My wife, Renee, called to find out if the unsolicited email was sent from a Lands' End affiliated business, an explicitly approved practice in Lands' End privacy policy, and to opt out if possible. First, the Lands' End rep. told Renee that her name and address used for that online transaction were on the company's list to be sold to non-affiliated companies. Selling her name and address would conflict with Lands' End stated privacy policy for online transactions, which guarantees no data to be sold to non-affiliates. Next, Renee was transferred to the online division for assistance with the email address status. The rep. there assured her the other Coremetric client sending the email was not an affiliate of Lands' End. The common thread of two Coremetrics' clients having possession of and using the same unique email address seemed enough reason to alert Lands' End to the potential misuse of the private data.
Disappointedly, Lands' End said there was absolutely no possibility the unique email address Renee gave them got into the hands of the other Coremetrics client through Lands' Ends' actions or those of its affiliates. If the email address had been used for other purposes, or had received other spam, it would be a less compelling case. Lands' End resisted the request to investigate how its affiliated companies might have used the email address. The rep. just said Lands' End bears no responsibility for Renee's email address being used by other businenesses because "spam happens" as an inherent risk for all consumers doing business online.
The particular circumstances of this matter point to the possibility that Lands' End's privacy policy might have been violated. Yet the Lands' End rep. said the company has no interest in investigating the potential misuse of consumer data by them or by their contractual partners. Their response and lack of any way to report possible violations of the privacy policy undermine the enforcement strength of that policy. Privacy policies will be little more than empty promises without a commitment by companies not to pass the buck when the policy could have been violated.
Posted by Tom McQueeney on November 01, 2006 at 09:39 PM EST #
I, too, received spam via an e-mail address that only Land's End should have. Guess the thieves broken in to my mail server, too.
Posted by John Gregg on November 07, 2006 at 01:14 AM EST #