Linking identities to email addresses

As I predicted yesterday, a bunch of sites have popped up where you can input email addresses and find out if the address was part of the Ashley Madison hack. My spam trap address isn’t on it, which makes me wonder if unsubscribe data was kept elsewhere or if they just never bothered to save the requests.
One of the things I’m seeing in most articles about the hack is reassurance that Ashley Madison doesn’t verify addresses, so the accounts may not belong to the email address in question. We can’t say that the email address owner is the cheater, because Ashley Madison didn’t care who owned the email address.
The warnings have been published in security blogs.

Ashley Madison didn’t do any kind of email / ownership verification for new accounts.
Provide a fake email to Ashley Madison, get started with all free features immediately.
Yes, the really quick way to build a user base; a minimum of effort needed to get started. Graham Cluey, July 2015 (emphasis original)

The warnings have been published on television news sites.

It’s also important to note that Ashley Madison users aren’t required to verify their email addresses, meaning some found in the dump may have been hijacked by Ashley Madison users seeking to keep their own email addresses off their accounts. ABC News

Even financial reporting sites are mentioning the unverified email addresses.

Several reporters and security researchers have said the data dump appears legitimate, but, to be sure, that doesn’t mean the emails are. AshleyMadison.com doesn’t verify users’ email addresses after they sign up, which means people can make up fake emails or use the addresses of others when creating accounts. Marketwatch

In this case, some email address owners, whether or not they created the account at Ashley Madison may face repercussions in real life. Folks who are already in rocky relationships and now have to explain why their email address shows up in the data dump. Some articles suggest military members may face problems because of their information in the data dump. Had Ashley Madison take some step, any step, to confirm the addresses belonged to the recipients that would not be as big a concern. But they chose not to do any email verification. Even worse, people who wanted to clear up the accounts were asked to pay money to remove the account from the database.
Email addresses are becoming more and more important identifiers of our online identity. Almost everything we do, particularly in terms of commerce, online is tied to an email address. Too few companies actually verify that email address belongs to the person that submitted it. Companies resist verification. They want the easy signup and the fast accumulation of “users.” Verification creates friction. It also creates overhead and process. It leads to unconfirmed email addresses in the database just sitting there doing nothing. Organizations don’t want to verify email addresses because it’s hard to do and relies on the recipient taking some action. 
This can lead to problems for the recipients, but it can also lead to problems for the organizations. At least half of my consulting clients come to me with delivery problems that can be traced back to them not doing any address verification. They don’t make sure the address belongs to the person who gave it to them and they get bad data on their lists and them they get blocked or put on the SBL for spamming.
I’m sure someone is going to tell me that there are a half dozen or so “address verification companies” that help with this issue. Except they don’t do anything to the address the problem of someone giving an email address that doesn’t belong to them. Nothing any of the verification services do connects the email address to the person who submitted it. They just test to see if an address is deliverable. Many of my clients are using address verification to “clean” their lists and are still seeing SBL listings and other delivery problems. 
Failure to verify email addresses leads to problems for the organizations collecting addresses. We’ve now seen it can lead to problems for the people who have their addresses forged. It’s beyond time for organizations to step up and treat address verification, real address verification, as a vital part of their signup process.
 

Ashley Madison Compromise
The FTC answers questions about CAN SPAM

Related Posts

Yes, Virginia, there is list churn

Yesterday I talked about how data collection, management, and maintenance play a crucial role in deliverability.  I mentioned, briefly, the idea that bad data can accumulate on a list that isn’t well managed. Today I’d like to dig into that a little more and talk about the non-permanence of email addresses.
A common statistic used to describe list churn is that 30% of addresses become invalid in a year.  This was research done by Return Path back in the early 2000’s. The actual research report is hard to find, but I found a couple articles and press releases discussing the info.

Read More

Verifying addresses after POS collection

Collecting email addresses at point of sale is a challenge. Some stores collect the addresses electronically, where the clerk or the customer types addresses directly into the register. Smaller stores, however, typically collect addresses on a sheet of paper at the cash register. Eventually someone takes the list and types it into whatever contact management system the store maintains.
There are all sorts of errors that can happen when someone types in an address, but those errors are only compounded when the addresses are written on a sheet of paper for later transcription. Not all of us have perfect, copperplate handwriting and many of us have barely legible scribbles. In one case I had a sender read the tag in my email address wrong causing all their mail to me to bounce.
One person found an interesting solution to the problem of illegible addresses: using Facebook’s lookup to clarify illegible addresses.

Read More

Data is the key to deliverability

Last week I had the pleasure of speaking to the Sendgrid Customer Advisory Board about email and deliverability. As usually happens when I give talks, I learned a bunch of new things that I’m now integrating into my mental model of email.
One thing that bubbled up to take over a lot of my thought processes is how important data collection and data maintenance is to deliverability. In fact, I’m reaching the conclusion that the vast majority of deliverability problems stem from data issues. How data is collected, how data is managed, how data is maintained all impact how well email is delivered.
Collecting Data
There are many pathways used to collect data for email: online purchases, in-store purchases, signups on websites, registration cards, trade shows, fishbowl drops, purchases, co-reg… the list goes on and on. In today’s world there is a big push to make data collection as frictionless as possible. Making collection processes frictionless (or low friction) often means limiting data checking and correction. In email this can result in mail going to people who never signed up. Filters are actually really good at identifying mail streams going to the wrong people.
The end result of poor data collection processes is poor delivery.
There are lots of way to collect data that incorporates some level of data checking and verifying the customer’s identity. There are ways to do this without adding any friction, even. About 8 years ago I was working with a major retailer that was dealing with a SBL listing due to bad addresses in their store signup program. What they ended up implementing was tagged coupons emailed to the user. When the user went to the store to redeem the coupons, the email address was confirmed as associated with the account. We took what the customers were doing anyway, and turned it into a way to do closed loop confirmation of their email address.
Managing Data
Data management is a major challenge for lots of senders. Data gets pulled out of the database of record and then put into silos for different marketing efforts. If the data flow isn’t managed well, the different streams can have different bounce or activity data. In a worst case scenario, bad addressees like spamtraps, can be reactivated and lead to blocking.
This isn’t theoretical. Last year I worked with a major political group that was dealing with a SBL issue directly related to poor data management. Multiple databases were used to store data and there was no central database. Because of this, unsubscribed and inactivated addresses were reactivated. This included a set of data that was inactivated to deal with a previous SBL listing. Eventually, spamtraps were mailed again and they were blocked. Working with the client data team, we clarified and improved the data flow so that inactive addresses could not get accidentally or unknowingly reactivated.
Maintaining Data
A dozen years ago few companies needed to think about any data maintenance processes other than “it bounces and we remove it.” Most mailbox accounts were tied into dialup or broadband accounts. Accounts lasted until the user stopped paying and then mail started bouncing. Additionally, mailbox accounts often had small limits on how much data they could hold. My first ISP account was limited to 10MB, and that included anything I published on my website. I would archive mail monthly to keep mail from bouncing due to a full mailbox.
But that’s not how email works today. Many people have migrated to free webmail providers for email. This means they can create (and abandon) addresses at any time. Free webmail providers have their own rules for bouncing mail, but generally accounts last for months or even years after the user has stopped logging into them. With the advent of multi gigabyte storage limits, accounts almost never fill up.
These days, companies need to address what they’re going to do with data if there’s no interaction with the recipient in a certain time period. Otherwise, bad data just keeps accumulating and lowering deliverability.
Deliverability is all about the data. Good data collection and good data management and good data maintenance results in good email delivery. Doing the wrong thing with data leads to delivery problems.
 
 

Read More