Privacy and being online

I have an email address that’s old enough to drink. It came to me today when I was discussing data hygiene. I mean, I have an email address that is old enough to drink! And it wasn’t even my first email address, it’s just the one I still have access to.
This realization led me down a path of what things have changed since I got that address.
I remember …DataSecurity_Illustration
… when things posted on the Internet weren’t around forever.
… when Google bought DejaNews and made USENET archives more available.

… and all those things I thought were gone forever were searchable again.

… when I thought it was good to be anonymous online.

… and trolls were mostly harmless and couldn’t hurt you.

… but there were always exceptions.

… a mailbox with zero spam in it.
… when I could still pretend I had control over my personal data.
We give up a lot of privacy just existing in the modern world. Companies track us and keep data about us. In many cases this is good. I recently had to return something to Home Depot and they could get a copy of the receipt simply by running my credit card through their system. Easy, peasy. Got my money back for that last box of floor tiles we didn’t open.
But it also means that companies can be the weak link and expose us to risk we don’t want or ask for. If there’s anything recent breaches have taught me it’s that my data is at risk no matter what I do. There’s a limit to what I can control and full control means not being able to participate in (almost any) online space.
And even if I am careful, other people use my info and my email addresses to sign up for stuff. One company in the UK is selling my email address associated with the profile “Mrs. Christine Stelfox.” Another UK company is selling a different email address with a different profile. Laura Ashley UK thinks I’m a stay at home mother of 3 in South London. And those are the easy to say “this data is bad and wrong” because they’re the wrong country and the wrong currency.
Brewster.com started spamming me, telling me that they had multiple email addresses and multiple phone numbers associated with me. I didn’t give them that data, someone else did. But now they think they own it and their privacy policy doesn’t cover my data, it only covers the data of the people who handed it over to them.
In terms of privacy, unless you want to stay offline completely, there isn’t much you can do to protect yourself. And even then, there’s nothing to stop companies from collecting data about you and selling that data on. The Target breach tells us even if you don’t do anything online, your PII can be leaked into online spaces. The US government breach tells us that doing things like participating in someone’s security clearance process can leak your data online. Health care breaches tell us we can’t trust our doctors and hospitals to keep our data safe.
All of this tells me that online privacy is difficult, if not impossible, these days. We’ve gotten used to having companies know about us and our habits and expect a high level of personalization. That personalization requires companies keep detailed records of our behavior.
I don’t think we really can give permission for this level of tracking. But I can’t see trusting companies to maintain our data in a safe and secure manner. I hate being tracked and I know that not being tracked means I give up a level of service. These days, though, you can’t even opt out of being tracked. You’re tracked even if you opt out. You just don’t get any of the benefits of being tracked.
Privacy is complicated and we don’t really have a handle on it. The internet is too new, even if people like me do have email addresses that are old enough to drink.

Related Posts

e360 sues a vendor

As if suing themselves out of business by going after Comcast and Spamhaus weren’t enough, e360 is now suing Choicepoint for breach of contract and CAN SPAM violations. As usual, Mickey has all the documents (complaint and answer) up at SpamSuite.
This may actually be an interesting case. On the surface it is a contractual dispute. Choicepoint sold e360 40,000,000 data records containing contact information including email addresses, snail mail addresses and phone numbers. Some of the records were marked “I” meaning they could be used for email. Some of the records were marked “O” meaning they could not be used for email.
Despite these terms being reasonably well defined in the contract, e360 sent email to addresses in records marked “O.” Some of those addresses resulted in e360 being sued by recipients. During the course of the suit, e360 contacted Choicepoint and asked for indemnification. Choicepoint refused for a number of reasons, including the fact that Choicepoint told e360 the addresses were not for mailing. In response, e360 filed suit.
The interesting and relevant part of this case is the CAN SPAM violation that e360 alleges.

Read More

Google wiretapping case, what the judge ruled

Yesterday I reported that the judge had ruled on Google’s motion to dismiss. Today I’ll take a little bit deeper look at the case and the interesting things that were in denial of the motion to dismiss.
Google is being sued for violations of federal wiretapping laws, the California invasion of privacy act (CIPA) and wiretapping laws in Florida, Pennsylvania and Maryland. This lawsuit is awaiting class certification for the following groups.

Read More

August 2015: The month in review

It’s been a busy blogging month and we’ve all written about challenges and best practices. I found myself advocating that any company that does email marketing really must have a well-defined delivery strategy. Email is such vital part of how most companies communicate with customers and potential customers, and the delivery landscape continues to increase in complexity (see my post on pattern matching for a more abstract look at how people tend to think about filters and getting to the inbox). Successful email marketers are proactive about delivery strategy and are able to respond quickly as issues arise. Stay tuned for more from us on this topic.
I also wrote up some deliverability advice for the DNC, which I think is valuable for anyone looking at how to maintain engagement with a list over time.  It’s also worth thinking about in the context of how to re-engage a list that may have been stagnant for a while. A comment on that post inspired a followup discussion about how delivery decisions get made, and whether an individual person in the process could impact something like an election through these delivery decisions. What do you think?
As we frequently point out, “best practices” in delivery evolve over time, and all too often, companies set up mail programs and never go back to check that things continue to run properly. We talked about how to check your tech, as well as what to monitor during and after a send. Josh wrote about utilizing all of your data across multiple mail streams, which is critical for understanding how you’re engaging with your recipients, as well as the importance of continuous testing to see what content and presentation strategies work best for those recipients.
Speaking of recipients, we wrote a bit about online identity and the implications of unverified email addresses in regards to the Ashley Madison hack and cautioned about false data and what might result from the release of that data.
Steve’s in-depth technical series for August was a two-part look at TXT records — what they are and how to use them — and he explains that the ways people use these, properly and improperly, can have a real impact on your sends.
In spam news, the self-proclaimed Spam King Sanford Wallace is still spamming, despite numerous judgments against him and his most recent guilty plea this month. For anyone else still confused about spam, the FTC answered some questions on the topic. It’s a good intro or refresher to share with colleagues. We also wrote about the impact of botnets on the inbox (TL;DR version: not much. The bulk of the problem for end users continues to be people making poor marketing decisions.) In other fraud news, we wrote about a significant spearphishing case and how DMARC may or may not help companies protect themselves.

Read More