Email verification – what are we verifying

E

One of the ongoing discussions in the email space is the one about address verification. Multiple companies have sprung up to do “real time” email address verification. They ensure that addresses collected at the point of sale are valid.
But what does valid mean? In most of these contexts, valid means that the addresses don’t bounce and aren’t spam traps. And that is one part of validating email addresses.
That isn’t the only part, though. In my opinion, an even more important thing to validate is that the email address belongs to the person giving it to you. The Consumerist has had an ongoing series of articles discussing people getting mis-directed email from various companies.
Today the culprit is AT&T, who are sending a lot of personal information to an email address of someone totally unconnected to that account. There are a lot of big problems with this, and it’s not just in the realm of email delivery.
The biggest problem, as I see it, is that AT&T is exposing personally identifiable information (PII) to third parties. What’s even worse, though, is that AT&T has no process in place for the recipient to correct the issue. Even when notified of the problem, support can’t do anything to fix the problem.

I contacted the live chat support for this account (since the notification emails are “do not reply”) to have a support rep help their customer correct their account. However, the support rep said there was nothing they could do, that I should not receive emails too often, and to try calling their business customer myself to get it fixed.

The inability to make corrections on data is not unique to AT&T. There are a lot of places where if someone incorrectly attaches an address (or phone number, or SMS number) to an account there is no recourse for the person who actually owns that address. Over the holidays someone attached my phone number to their Yahoo account, resulting in me getting SMS messages about password and secret question updates. There was no way for me to tell Yahoo “not my account” so I just had to deal with the SMS messages until the person involved figured it out and took my number off the account.
Verifying email addresses as valid is great. But just because an address is valid does not mean that it belongs to that customer.
I see a lot of places pushing address verification as a fix for poor delivery. And it will be in most cases. The problem is, poor delivery is simply a symptom of not verifying that the recipients are customers. Sending only to valid addresses, doesn’t stop spam to 3rd parties when customers give wrong but totally valid addresses.
Every company should send out a welcome message that allows recipients to confirm that they are the right person. Every company should take steps to stop releasing PII to third parties. Every company should think about more than just verifying that an address is valid, but that the address is valid for their customer.

About the author

2 comments

This site uses Akismet to reduce spam. Learn how your comment data is processed.

  • It gets better. Suppose someone (hypothetically, let’s say, an ex-wife) signed up for someone’s service with your phone number. Again, hypothetically, let’s suppose this was Cox Communications. And then, let’s suppose that this person didn’t pay their bill for long enough that collection agents became involved. So, along with that company’s own accounts receivable, they’d also handed your phone number off to a whole co-reg worth of people, and said “Go hassle this guy”.
    Note at this point that I am not their customer. I have never been their customer. I call them, and ask them to stop. “Well, I see the account your number is associated with”, I am told, “but because it is not your account, I can’t change it. We can’t just let anybody go changing the data in someone else’s account.”.
    And that’s a fair point. I understand that. But it is MY phone number, not theirs.
    I wind up solving this problem every few months, with Federal Trade Commission complaints.

  • *Ding*Ding*Ding*Ding*Ding*
    Spam annoys me (obviously), and I’ve spent a great deal of time and effort to help stop spammers. But the unsolicited *bulk* (i.e. marketing) email from businesses to my spamtraps scares me much less than the unsolicited transactional email that I see every day from banks, financial institutions, and businesses to spamtraps that they think belong to their customers. :/
    In some cases, the private information in these emails constitutes an outright security breach. It appears that I could log onto accounts, order merchandise, or withdraw funds with no more information than I have from the email itself, although of course I have never tried to do so and wouldn’t. In many other cases, I simply find out that X individual at Y address owes Z amount of money to a particular business and is either up-to-date, past due, or delinquent in payment. I’m sure that X individual is *thrilled* that a complete stranger knows this sort of stuff about them.
    This misdirected transactional email is arguably not even spam: although unsolicited, it isn’t really bulk. But I’m much less rigid about avoiding companies that send spam when I shop than I am about avoiding companies that show this sort of cavalier indifference to their customers’ personal information. There are banks and financial institutions that I will not do business with, and companies that I will not give a credit card to, because of what I have seen in my spamtraps.

By laura

Recent Posts

Archives

Follow Us