With two notable exceptions, email addresses I have given out to companies end up being used by them only for legitimate business communications. The two recent exceptions: Addison-Wesley and Lands' End. Spam is making email less and less useful each passing month as hundreds or even thousands of spam messages flood my inboxes daily. I always thought of the people who sell or trade email addresses for spam use were faceless individuals operating from their living rooms, not major companies like Addison-Wesley and Lands' End or their affiliates.
With Addison-Wesley, I signed up for an email list several years ago for announcements of new technology titles. For a while, I received emails from Addison-Wesley every month or so announcing its latest technology books. The mailing list was low-volume and useful.
I no longer receive announcements of new books from Addison-Wesley. But the email address I gave them is now used by spammers several times a day to send me unsolicited commercial email messages. Here are some headers to a spam email I received tonight advertising "Cheap Vl x AG x RA"
Return-Path: <firstname.lastname@example.org> Received: from iskiv.net (lns-bzn-22-82-249-89-146.adsl.proxad.net [220.127.116.11]) by [my email server] with SMTP id k9T7mmeJ029902 for <awbookalert@[my domain]>; Sun, 29 Oct 2006 07:48:54 GMT Reply-To: "Romano Wischmeier"Now, with an email address like "awbookalert," you figure no spammer stumbled onto this address by guessing. More likely, the spammer purchased the address from someone who stole it from Addison-Wesley's computers, or Addison-Wesley gave it away or sold my email address for use by spammers. I consider it unlikely this email address was stolen from my computers because I use several "alias" email addresses and have had a problem only with this one I gave to Addison-Wesley.
From: "Romano Wischmeier" To: awbookalert@[my domain] Subject: Re: 693
Another company contributing to spam is Lands' End. My wife ordered clothing a few weeks ago online from Lands' End, again using an email address unique to this one transaction. Lands' End sent two emails to this address: an order confirmation and a shipping notice.
The Lands' End customer-service representative my wife spoke with assured her the publishing company is not affiliated with Lands' End, and that Lands' End experienced no data security breach. The spam must have originated, she said, by someone breaking into her ISP's email server and stealing that address.
Yeah. Uh huh. Someone broke into an email server and stole a solitary email address. These thieves overlooked the dozens of other email aliases on her server and focused solely on this one email address she shared with Lands' End. (Her email server is different from mine, by the way, eliminating the possibility that a single server was the source for both these email addresses picked up by the spammers.)
If Lands' End's computers were not broken into, it seems likely one of its business partners is using email addresses in ways not sanctioned (or at least acknowledged) by Lands' End. A possible partner could be Coremetrics, a company that provides website analytics for Lands' End. Lands' End says they share website information with Coremetrics, but the "data that they collect for us [cannot be used] for any other purpose." Interestingly, the self-help publisher who sent my wife the spam also is a Coremetrics customer.
I don't want to cast aspersions on Coremetrics. They have many online retail customers. What I want to ask Lands' End is which is more likely:
- Hackers broke into two of our ISP's email servers and stole one email address from each?
- One of your business partners is violating the confidentiality of your customer information?
- A hacker broke into your computer system and stole information?
If companies don't want to suffer black eyes when the public discovers how casually or carelessly they treat their customers' information, they need to start treating data privacy more seriously. The alternative, they will find, is that Congress will receive enough pressure from Americans so fed up with spam and identify theft that they will tighten data-privacy laws to make it a criminal offense when what should be private data leaks from their computer systems. When the first CEO goes to jail for contributing to spam or identity theft because the company treated customer data carelessly, perhaps that's when we'll see companies treat customer data with more seriousness and care.