Privacy Policy
Experian selling data to identity thieves
If you’re not following or reading Brian Krebs, you should be. He does some of the best investigative reporting in the email, security and internet space. Today’s blog post is a disturbing look into the data selling and identity theft industries. Brian details evidence that shows Experian (yes, that Experian) has been selling consumer data to identity thieves.
Google wiretapping case, what the judge ruled
Yesterday I reported that the judge had ruled on Google’s motion to dismiss. Today I’ll take a little bit deeper look at the case and the interesting things that were in denial of the motion to dismiss.
Google is being sued for violations of federal wiretapping laws, the California invasion of privacy act (CIPA) and wiretapping laws in Florida, Pennsylvania and Maryland. This lawsuit is awaiting class certification for the following groups.
Judge sides with plaintiff, refuses to dismiss wiretapping suit against Google
Judge Koh published her ruling on Google’s motion to dismiss today.
It’s a 43 page ruling, which I’m still digesting. But the short answer is that Google’s motion was denied almost in total. Google’s motion was granted for two of the claims: that email is confidential as defined by the California Invasion of Privacy Act (CIPA, section 632) and dismissal of a claim under Pennsylvania law.
Privacy policies in the real world
This weekend we took the car in for service. Instead of dropping it off at the dealership, we found a small, local garage. Prominently positioned on the counter was their Email Privacy Policy.
TWSD: Lying and Hiding
Another installment in my ongoing series: That’s What Spammers Do. In today’s installment we take a look at a company deceiving recipients and hiding their real identity.
One of my disposable addresses has been getting heavily spammed from mylife.com. The subject lines are not just deceptive, they are provably lies. The mail is coming from random domains like urlprotect.com or choosefrequency.com or winnernotice.com advertising links at safetyurl.com or childsafeblogging.com or usakidprotect.com.
The spam all claims someone is “searching for…” at their website. The only thing is, the email address is associated with a fake name I gave while testing a website on behalf of a client. I know what website received the data and I know what other data was provided during the signup process. I also know that the privacy policy at the time said that my data would not be shared and that only the company I gave the information to would be sending me email.
Just more proof that privacy policies aren’t worth the paper they’re written on. But that’s not my real issue here.
The real issue is that I am receiving mail that is clearly deceptive. The subject lines of the emails up until yesterday were “(1) New Message – Someone Searching for You, Find Out…” Yesterday, I actually clicked through one of the messages to confirm that the emails were ending up at mylife.com. After that, the subject lines of the emails changed to “(1) New Person is Searching for You.” I don’t know for sure that my click has caused the change in subject lines, but the timing seems a bit coincidental.
It’s not that someone, somewhere gave mylife.com bad data, or that someone typed a name into the mylife.com search engine and the mylife.com database showed that name and my email address were the same. Neither this name or this email address show up in a google search and I can say with certainty that this is a unique address and name combination given to a specific website. Therefore, the subject lines are clearly and demonstrably lies.
The spams are also coming from different domains and advertising links in different domains. The content is identical, the CAN SPAM addresses are identical. While the court may not rule this is deceptive under the rules of CAN SPAM, it certainly is an attempt to avoid domain level spam filters.
Who are mylife.com? Well, their website and the CAN SPAM address on their spam claims they are the company formerly known as reunion.com. I’ve talked about reunion.com here before. They have a history of harvesting addresses from users address books. They were sued for deceptive email practices under California law, but won the case just recently. They seem to think that the court case was permission to send deceptive email and have thus ramped up their deceptive practices.
If you are a legitimate email marketer, there are a couple take home messages here.
1) Spammers send mail with different domains, from different IP addresses, that contain identical content, landing pages and CAN SPAM addresses. Legitimate marketers should not rotate content and sends through different domains or different IP addresses. Pick your domain, pick your IP and stick with it.
1a) Spammers use randomly chosen domain names and cycle through domains frequently. Legitimate marketers must not use unrelated domains in marketing. Use a domain name that relates to your product, your industry or you.
2) Spammers send mail with deceptive subject lines. Legitimate marketers should make sure their subject lines are clear and truthful.
3) Spammers send mail in violation of the privacy policy under which information was collected. Legitimate marketers should be very careful to handle data in accordance with their privacy policies.
That’s what spammers do. Is that what you do?
Privacy policies in court
Venkat has an analysis of a case where an individual provided a unique address to a vendor and that vendor released the address in violation of the posted privacy policy. The federal court rejected the suit due to the failure of the plaintiff to provide evidence of harm.
I posted last week about privacy policies and how often they are intentionally or unintentionally violated and when email addresses leak. Courts have consistently ruled against plaintiffs. It seems that the courts believe merely revealing information, even in contradiction to a posted privacy policy, is not actionable by the plaintiff.
As a consumer, I really don’t like the ruling. If a company is going to post a privacy policy, then they should follow it and if they don’t, I should be able to hold them responsible for their lies. Back in the land of reality, I am not surprised at the rulings. Individuals have never owned their personal information, it is the property of the people who compile and sell data
It does mean, however, that privacy polices are not worth the paper they’re written on.