Email verification – what are we verifying

One of the ongoing discussions in the email space is the one about address verification. Multiple companies have sprung up to do “real time” email address verification. They ensure that addresses collected at the point of sale are valid.
But what does valid mean? In most of these contexts, valid means that the addresses don’t bounce and aren’t spam traps. And that is one part of validating email addresses.
That isn’t the only part, though. In my opinion, an even more important thing to validate is that the email address belongs to the person giving it to you. The Consumerist has had an ongoing series of articles discussing people getting mis-directed email from various companies.
Today the culprit is AT&T, who are sending a lot of personal information to an email address of someone totally unconnected to that account. There are a lot of big problems with this, and it’s not just in the realm of email delivery.
The biggest problem, as I see it, is that AT&T is exposing personally identifiable information (PII) to third parties. What’s even worse, though, is that AT&T has no process in place for the recipient to correct the issue. Even when notified of the problem, support can’t do anything to fix the problem.

I contacted the live chat support for this account (since the notification emails are “do not reply”) to have a support rep help their customer correct their account. However, the support rep said there was nothing they could do, that I should not receive emails too often, and to try calling their business customer myself to get it fixed.

The inability to make corrections on data is not unique to AT&T. There are a lot of places where if someone incorrectly attaches an address (or phone number, or SMS number) to an account there is no recourse for the person who actually owns that address. Over the holidays someone attached my phone number to their Yahoo account, resulting in me getting SMS messages about password and secret question updates. There was no way for me to tell Yahoo “not my account” so I just had to deal with the SMS messages until the person involved figured it out and took my number off the account.
Verifying email addresses as valid is great. But just because an address is valid does not mean that it belongs to that customer.
I see a lot of places pushing address verification as a fix for poor delivery. And it will be in most cases. The problem is, poor delivery is simply a symptom of not verifying that the recipients are customers. Sending only to valid addresses, doesn’t stop spam to 3rd parties when customers give wrong but totally valid addresses.
Every company should send out a welcome message that allows recipients to confirm that they are the right person. Every company should take steps to stop releasing PII to third parties. Every company should think about more than just verifying that an address is valid, but that the address is valid for their customer.

Related Posts

MAAWG and email appending

In today’s Magill Report Ken says:

The only surprise in the Messaging Anti-Abuse Working Group’s statement last week condemning email appending was that it didn’t publish one sooner.
However, MAAWG’s implication that email appending can’t be accomplished without spamming is nonsense.

Read More

Motion to dismiss in Penkava v. Yahoo case

Earlier this month Yahoo filed a motion to dismiss in the Penkava v. Yahoo. This is the class action lawsuit where an Alabama resident is attempting to sue Yahoo for violation of the California wiretapping law.
Here’s the short synopsis.
People send mail to Yahoo. Yahoo “creeps and peeps” on that mail so they can profit from it. Plaintiff doesn’t like this, and thinks that he can use the California Invasion of Privacy Act (“CIPA”), (Cal. Penal Code § 630, et seq;) to stop Yahoo from doing this. Additionally, there is a whole class of people who live in every state but California who have also been harmed by Yahoo’s actions. The plaintiff would like the court to make Yahoo stop doing this. (First Amended Complaint)
Yahoo’s motion to dismiss is actually pretty dry and there aren’t really any zinger pull quotes that make sense without reading the whole 35 pages. The short version is that what Yahoo is doing is not a violation of California law, it is simply handling email as it has to be done to get it to recipients. Plus, California law cannot apply to mail sent from a non-CA resident to a non-CA resident because that would violate the dormant commerce clause. The class as defined makes no sense. Finally, the plaintiff continues to send mail to Yahoo addresses knowing the mail is being “scanned” and that is implicit permission for Yahoo to do it.
In the initial complaint there was an allegation that Yahoo’s behaviour was a violation of Federal and/or California Wiretapping laws. These allegations appear to have been dropped in the First Amended Complaint.
Right now there is a hearing scheduled for March 13, 2013. I’ll keep an eye on the filings.

Read More