A few years back, era404 was written up in The Wall Street Journal’s online site, WSJ.com, for an experiment we ran concerning unsolicited email. The experiment was to test if those “Unsubscribe” links actually work. Upon creating a dozen brand new email accounts, we subscribed each to a dozen different online newsletters, contests, subscription services and mailing lists. Then, upon receiving the initial emails from those services, we clicked the “Unsubscribe” link.
What we found was that while we were removed from the initial mailing list, the inboxes were getting filled with other junk mail that we supposedly subscribed to. This meant that while the company had held true to their word on removing your address from their mail, they had taken it upon themselves to sell your email address to a number of other online list services. And why not? You were no longer of any use to them. You’d already expressed disinterest in their products or services, so what harm would it be to give their faithful ex-customers opportunities from other firms with products or services to sell, especially when they could make some money on the side.
This mentality, however disagreeable, has become the norm over the past few years. It is no longer disreputable businesses, product knock-offs, pornography and pharmaceutical sites, college diplomas or spam enterprises run by people like Spam King, Alan M. Ralsky, that you have to worry about. The ethic has run rampant among larger mainstream corporations as well.
In September 2004, we conducted the same experiment among customer-oriented businesses like credit card companies and domain name registrars and found their practices to be as bad, or worse, than the pornography businesses of yesteryear.
The survey found that while the government and Better Business Bureau (BBB) has cracked down on telephone solicitations, specifically those pertaining to cell phone misuse, businesses that bought and sold email address lists were being widely overlooked.
Signing up for a credit card, we found that an email address was no longer an optional field. Buried in the fine print, you’ll see why.
This statement was taken from a Best Buy credit card, operated by HSBC MasterCard (TM):
This Privacy Statement illustrates our commitment to your privacy and explains our privacy practices so you can make an informed decision about whom you allow us to share your information with in order to offer you additional products and services. Although most customers enjoy receiving offers and information about additional products and services, if you prefer that we don’t share your information for marketing purposes we will respect your choice.
They go on to let you know that they reserve the right to check in with credit bureaus and have printed in big bold type “We Respect Your Privacy” but in the fine print, they inform you that they’ll share your information with “companies within our corporate family (i.e., Affiliates)” and “we may also share certain information with non-financial service providers that become our Affiliates in the future (such as travel, auto and shopping clubs)“.
So HSBC informs you that you MUST share your phone number, email address and mailing address, AND your information will be shared with HSBC, HSBC Companies, andHSBC Affiliates, businesses that may one day be HSBC Affiliates (read: any business that will buy your information). Even worse, they’re not just sharing methods of contact. The same paragraph goes on to say “information we share might come from your application, such as your name, address, telephone number, social security number and email address. Also, the information we share could include your transactions with us or our Affiliates, your Internet usage, your credit card usage, your assets, income or credit reports, etc“. Their logic is that they want to provide you with top-notch services that “most customers enjoy receiving“, but they really mean to say that they get more money if you’re pre-qualified for a mortgage, can afford Viagra, or don’t have a college diploma (based on the credit report and social security number you’ve unwillingly released to the world). They’ve also opened you up to identity theft, credit card fraud, online and mailed scams, viruses, spyware and a whole host of malicious behavior, not just the annoyance of unsolicited mail, emails and calls.
They provide you with the opportunity to opt out of having your private information shared by way of a phone call that you can make (if you can read the small print). However, upon calling this number, you’ll be informed that it may take three to six weeks for your name to be removed from the lists they sell. At this time, your private information has been sold countless times leaving you vulnerable, helpless and frustrated.
The same survey in 2004 was conducted among registrars that included Network Solutions,GoDaddy, Domain.com and Register.com, in which a fake email was created and a call was placed to each of their businesses. Each registrar asked for an email address and full name before the question was answered. Our calls pertained to an innocuous query about how to secure a domain and if one can privately register a domain without anyone knowing who registered it. At the end of the call, once each registrar had provided their own templated response about domain registry privatization and costs, we asked if our email address was going to be used for anything. The response from Network Solutions, GoDaddy and Domains.com was that the address would be discarded since we weren’t buying any of their services–but would be required if we decided to move forward with purchasing a domain at a later date. The response from Register.com was different:
Register.com: May I have your permission to record your email address and name for documentation purposes?
era404: I’d asked about domain privatization because I don’t want my information available to the public.
Register.com: I understand that, sir, but this is only for my documentation.
era404: Will you be sending me a transcript of this conversation?
era404: Why do you need this information?
Register.com: Only for my records, sir.
era404: Will you be selling this information to anyone, because I’d prefer not to receive any email on this account?
Register.com (hesitantly): …no, sir.
era404: If you promise this account and my name will not be used for anything except for your records, regardless of if you’re sending me a transcript of this conversation or not, I concede to let you use this email address. However, please assure me that it will not be used for marketing purposes and will only be noted in your documentation.
Register.com: It will not.
A day later, needless to say, 50+ emails filled the inbox with information on Fake Swiss Rolex Watches and Pharmaceutical offers. The exact same survey was conducted again this week and the script above was reiterated almost verbatim. Predictably, Register.com still lied and proceeded to sell the email address to list services everywhere. Checking back on the email account created for the survey in 2004, the mailbox was shut down as it had overloaded its size limitations, but not before it had accrued over a half-million unsolicited emails fromRegister.com‘s greedy representatives and their “documentation” use. I might report that at this time, both the Network Solutions and GoDaddy accounts are still clean as a whistle (Domain.com had only a mere eight hundred).
Don’t feel bad if you’ve fallen victim to the HSBC and Register.com traps. These businesses have brilliant strategies to trick users into providing their information.
HSBC MasterCard’s use of fine print and amiable jargon about “affiliates” is meant to make you feel your information is safe. If you call their number to have your email address or other information removed, you’ll see that every three months or so, they mysteriously “update” their privacy policies to get your names back on the list of available information to sell. If you call once a month for the rest of your life, you’ll still be sold to the highest bidder.
The Register.com technical support man may or may not know that their “documentation” is being scoured for addresses to sell (though it would be hard to believe, with the amount of angry, betrayed clients they must have). If you call and wait the average eight or so minutes to speak with them, they seem as flustered and clueless as you are.
In short, any time you provide information, regardless of fine print, legalese or blatant lies,your information will be sold.
Your information will be sold.
Your information will be sold.
Your information will be sold.
This needs to be repeated, in case there are non-believers out there–people who truly think that businesses (not just the above-stated examples) truly care about your privacy and well-being. Knowing and understanding this, however, you have an edge over them.
Our recommendations for best practices to keep your inbox, voicemail and mailbox free of solicitations are as follows:
1. Email addresses are free. As Gmail has lifted their Join-by-Invitation service, we recommend them solely because of their mass storage capabilities and searchability. Create a new email account before you sign-up for anything. Upon signing up, provide them with this account. For extra fun, use the business in the name of the account, such as:email@example.com or firstname.lastname@example.org. Then, wait a day for the spam to flood you over. If the requester says you need to create an account to activate any services (such as online subscriptions, Search Engine/FFA Submissions, other accounts), check that account and click the link. When you’re done, you can choose to leave the account open (which we recommend) or close it right away. We only recommend keeping it open in the case that you may lose your password for the subscription as that is where the “Lost Password” link or hint will be sent.
2. Spell your address wrong. When you open up a new bank account, perhaps because you’ve moved to a new city, give them the wrong address and/or phone number (or tell them that you don’t have a phone yet). Then call their privacy hotline and remove yourself from their solicitations. Then wait three days to three weeks and call them to correct the address. We learned this through a happy accident and found business and personal Chase accounts have been solicitation-free for the last decade. If you don’t believe that this actually works, add an address line #2 to your account with something like “(From: JPMorgan Chase)” and you will receive a dozen posted letters that first week from mortgage companies and credit score bureaus and credit card companies with that address line included. This is, in general, a good way to learn who is selling your address and who isn’t.
Generally, you can change to a real address after a few months, but it’s always fun to have solicitations sent to the wrong zip code and calls made to the wrong area code. And if, perchance, you didn’t change your address enough, receiving things sent to (From: Netflix)and (From: BN.com) is quite revealing and a little less frustrating.
3. Get a pen pal. The whole network of ERA404 has roughly 186 pen pals ranging from credit card companies to home mortgage businesses. If someone sends you a self-addressed bulk mail envelope, drop it in the mailbox. Ultimately, you’re spending their money and slowly draining their marketing budget, as well as earning money for our faithful postal service. Send them their own envelopes back. Send them their literature (the pieces devoid of your information and customer ID). Send them other pen pal literature. (It’d be interesting to see Visa get a Discover card offer, or HSBC get a Register.com offer). If you don’t have the time, just send them the envelope to let them know you care.
4. Deny them information. Most companies don’t actually require phone numbers, fax numbers and especially email addresses. When applying, tell them you don’t have any yet. Repeat the mantra of “Your information will be sold” in your head to give you the courage to lie right back to them. If you don’t mind confrontation, tell them you refuse to have your information sold and don’t believe them when they promise it’s safe. If you get a little squeamish by the idea, tell them you just moved and you’ll be sure to update them with the information once you get a phone, fax and/or email address. When you’re signing up for discount cards through pharmacy and grocery store chains, provide the wrong information entirely. Your card is your key to discounted items, not your mailing address. These businesses may send you a coupon from time to time, but it isn’t worth the amount of other solicitations you’ll receive if you provide the correct address. If you want eCoupons, refer back to Practice #1, above, and create a email@example.com account.
5. Never use a valid email address online. Message boards, forums, tech support sites, search engine submissions, FFA sites, ecommerce, online contests and competitions, etc., will all either post your information online (making it susceptible to spam bots that scour the web all day looking for email addresses for lists) or sell it to list services. If the site is something you may use often, refer to Practice #1, above. If it isn’t, use one that doesn’t exist and memorize it for use for all your postings to the above online sites. Remember that if you can see your email address, a spambot can too. If you CAN’T see your email address, a business can still collect and sell it.
A great way for you to see if your address is already available to spambots is to simply Google it, with quotes. (ie., “firstname.lastname@example.org”) to see what sites have your information stored. Contact the owners of these sites to have your email address redacted from their listings. While it may be too late to remove yourselves from lists cultured by spambots already, you’ll be able to lessen the likelihood of being scoured again. Your email may also alert the owners of these sites that you don’t wish to be sold and they may remove you from any personal lists that they’ve subscribed you to. The latter instance may be unlikely, as most unsolicited mail lists are created without webmaster’s permission or knowledge, but it’d still be worth the try. If Google returns no results with your email address searched in quotes, and you’re still receiving unsolicited mail, your address was probably submitted to lists by offline vendors (such as the above examples of pharmacies, registrars, grocery stores and credit card companies).
6. Speak your mind. The reason this ethic has become so commonplace nowadays is that customers will just let it happen. If the entire world just told businesses they refused to use their services because of bad privacy policies, businesses would be forced to change their ways. So the next time you sign up for a credit card or purchase a domain, tell them that you’re providing them with fake credentials because you know about their practices, loopholes, fine print, legalese and lies. Granted, it’s optimistic to think that we can all make a difference, but we’re not jaded enough to believe it’s futile. And if you’re too intimidated to say something, you may have to deal with the repercussions. At least know you have us as an advocate for change and we’re shouting it from the rooftops (and blogs and media centers).
8. Maintain a list. Keep a list of the businesses that sells your private information and share it with friends and family (Feel free to add HSBC and Register.com, if you like). Tell them that by using these businesses’ services, they’re opening themselves up to something far worse that unsolicited email. Tell them about the viruses, spyware, credit card fraud and identity theft issues that are too commonplace because of larger, reputable businesses. Tell them that it’s okay to boycott companies for policies like this and set an example in yourself.
9. Sign-up for “Do Not Call” lists. It’s a federal offense to solicit on cell phones unless a business has documented proof that you’ve requested these services. Home phones, however, are another story. And while Homeland Security is protecting us from supposed threats abroad, they’re having one hell of a time at home, too.
10. Don’t answer. If you don’t recognize a number, or it says “Private” or “Out of the Area”, don’t pick up the phone. Telemarketers aim to catch you when you’re at home (normally eating dinner). If they ring the same number over and over and there’s never a response, they’ll drop it from their list. We also recommend unplugging your answering system or voicemail when you’re home so that the phone continues to ring. This technique will help to have your number removed sooner and typically, telemarketers won’t call during the day when you’re at work. Note that caller IDs can also be spoofed, so be careful.
11. Learn about Identity Theft. Knowing the enemy can help you beat the enemy (anyone that read Harry Potter and the Half-blood Prince knows that). Keep the numbers of your bank, credit card customer service line, and credit bureaus safe. If your information is stolen, call them right away. Keep copies of your ID, Social Security Card and Credit Card front and back hidden and in a secure location. Don’t carry your social security number around with you andNEVER give the entire number on the phone. If a company requests it, offer only the last four digits.
12. Trap unsolicited emails before you download them. There are a number of free applications out there that are already supported by your email provider. Google and Yahoo! have particularly good engines for marking junk mail. Hotmail‘s leaves something to be desired. Learn about the capabilities provided by your host to see what software they support and how they can stop the mail from ending up on your computer. Applications like SpamAssassin and BoxTrapper SpamTrap are good ways of preventing viruses and spam from hitting your computer.
SpamAssassin “reads” emails electronically and tags them with heuristic ratings to deem if an email might be an advertisement and not authentic. Version 3.1 also automatically has features for deleting mail with extra-high spam scores and provides customization options for white lists, black lists and auto-whitelisting. As with all applications, you can unfortunately be tagged as a false positive (Read “But I’m Not Spam, on ERA404′s site for more information on preventing yourself from being tagged as a false positive). BoxTrapper provides that annoying, but effective, functionality where a sender receives an automated message where they must click a link to show they’re a “human” and not a spam engine. Since most spam engines aren’t moderated, those automated responses go unread and the original emails never hit your inbox. A virus that never hits your computer is a worthless virus.
13. Remove Catch-all Addresses. If you run your own website, you know you have the capability of routing all mail to yourself that hits a certain domain. For example, you can have any mail sent to *@yourdomain.com be rerouted to your personal email (email@example.com) so that you never miss a message. Unfortunately, spambots sometimes blast emails to common domain names and email addresses, such as info@, sales@, contact@, etc. If those addresses exist, you should remove them and use something less conventional. If they don’t exist, your catch-all may be forwarding them to your account. Oftentimes, catch-alls are activated by default. Inquire with your host to ensure there is NO catch-all on your account.
14. Do not use conventional addresses for domains. Touched on briefly in Practice #13, you shouldn’t ever use email addresses that are commonly added to spam blasts. The above examples of info@, sales@ and contact@ are some ideas of things to steer clear of. Instead, try firstname.lastname@example.org (ie. email@example.com) or something more obscure (firstname.lastname@example.org).
15. Your own site isn’t safe from Spambots. Your own site should be considered when usingPractice #5, above. Don’t list your own email address on your own site. Use a form that is powered by an unscourable script to submit the email to you, and tie that form to a captcha system to deter automated form blasting. If you don’t have this capability, embed your email address in an image or flash file and don’t make that image linked/clickable.
16. Privatize. Whenever possible, privatize any domains you register so that they’re hidden from the WhoIs registry.
Established in August 2000, ERA404 Creative Group, Inc. is a New York-based design, development and marketing agency. The company has created a number of applications (including Lyrek CEMS) which focus on ICANN standards and implementation of best practices for sending email and subscribing/unsubscribing members from lists. Members have also been guest lecturers at The School of Visual Arts, in NYC, and spoken to audiences about upholding higher ethics for applications that submit and collect emails.
For further information, please contact:
Don Citarella, era404
Edited: August 29, 2007:
At the time of the original posting of this email, we’d included a username and password to the email account for readers to see the ever-amounting unsolicited email that was sent by Register.com. We were asked by the mail provider to remove this information because of the amount of traffic (from different IPs) to that email box and the bandwidth it was consuming. It also seems that some individuals had set-up an auto-forwarder from that account to (apparently) their arch-enemies so that other email addresses were receiving the Register.com unsolicited emails as well. As I wouldn’t wish that kind of frustration on my worst enemy, we have since cancelled/deleted the email account and removed the username and password to it. Whoever set-up the forwarder is perpetuating the problem discussed in this article and should seriously reconsider these actions in the future. Face your enemies, man. Don’t spam them.