Practical Nerd: Privacy vs. stupidity, a case study

Frank Catalano

This one goes out to you, Herbert. And to you, Phil. And yes, even you, Correspondent-Who-Will-Not-Be-Named.

I’m afraid you’re all idiots.

Because you are case studies showing that no matter how fervent the hue and cry is about Facebook’s privacy policies or tracking cookie abuse by marketers, a major threat to individuals’ privacy — and perhaps security — on the Internet stares at them from the reflection in their LCD screens.

And I can prove it with one email address.

Because that email address — my personal one, based on a relatively common name and hosted by a well-known web mail provider — has become a catch basin for the email of others who use it as their alternate email address. They do this, it seems, when they don’t want to disclose their real email address to an entity which engages in secure commerce and has a privacy policy. Rather, they’d prefer potentially sensitive communications from that entity be sent to the email inbox of a random person of unknown character.

I mean, really, Herbert. Confirmed purchase of The Coming Economic Armageddon (with your receipt), new subscription to The Heritage Foundation Email Alerts (with your full contact information), and membership in FreedomWorks’ Take America Back Campaign (with your account information), all within four days? Good thing I was able to print out the receipts and confirmations and, with the physical address the messages gave me access to, mail them to your home for your records.

Or how about you, Phil? You signed up for Match.com in December, and I received your confirmation with your login, password, ZIP code and birth date. Not wanting to receive your matches for both my, and my marriage’s, sake, I deactivated the account, thinking you would use your correct email when you tried to register again. No such luck. In April, apparently desperate for companionship, you twice more reactivated it using my email address. And I was honored with your first “premium” matches.

I tracked down Match.com customer service and convinced a nice customer service person to permanently block my email address. But poor Phil. Apparently you don’t realize you will NEVER get a date if you can’t provide potential mates with accurate contact info.

Those are just the most memorable misdirects. Over the past 18 months, there have been more than one hundred. I’ve:

  • been reminded of my Chem-Dry of Albuquerque appointment and advised to, “have the animal members of your family safely secured.”
  • wound up on a recipe exchange. (A what?)
  • been asked to order “Cassandra” a size 30-40 swimsuit by a Canadian care agency.
  • received multiple Doubletree and Hilton confirmations for one guest over time, including reservation numbers and the ability to cancel or change reservations. (I didn’t.)
  • been issued print-at-home tickets by Live Nation for the Gramercy Theater in New York (whoever Mario and Fabulous are), and sent Fandango Bucks gift receipts.
  • received legal documents, repeatedly, for two different real estate cases in Florida.
  • been hassled by CareerBuilder.com who thought I was Katrina and kept prompting me to finish a resume, ignored three removal requests, and generally made it a challenge to get off of their list.
  • been added to the Crate and Barrel and Bloomingdale’s wedding registries, plus contacted twice by a wedding planner, all within 72 hours. (I don’t think Phil was involved.)
  • been invited to enter a horse in a thoroughbred derby in Sunland Park, New Mexico. (Which, admittedly, sounded cool.)

I’m no slime ball. I have been careful not to reveal too many specifics about any instance, nor have I ever misrepresented myself as the intended recipient. I’ve even tried to fix situations that might have gotten worse without a response indicating the sender had reached the wrong person.

After all, some are honest errors or typos. Such as when I was added to the Faculty Council of Community Colleges in New York and had an account created for me at SUNY, complete with emailed username and password. My contact attempts led to a nice conversation with someone who may actually be a relative from Sicily. Or when I was invited to a Boxing Day lunch in Bangkok and engaged in some interesting cultural information exchange about “the duck.”

Still, trying to point out a mistake can be futile. After gently trying to correct Ben, sender of several emails over several days, that I was not the relative he meant to reach, he followed up with, “Do you know a Frank Catalano? I got three messages from him … I only opened one.” He then sent me and his wife’s full confirmation information from AirTran Airways.

Lessons learned for individuals? Don’t expect a made-up or unconfirmed email address won’t send sensitive information to someone else, any more than a made-up or incorrect postal address might deliver a package to the wrong place. (I mean, if you need a decoy e-mail address, sign up for a second free account and don’t check it.) Businesses? Don’t just let message recipients unsubscribe, have a mechanism in place to allow them to report email that goes to the wrong address – just as the U.S. Postal Service does.

In any case, I doubt my experience is unique. This type of privacy — and possible security — leak is probably all too common. And completely preventable. You could say the same about any self-inflicted wound.

Frank Catalano is an author, consultant, and veteran analyst of digital education and consumer technologies. His “Practical Nerd” column appears regularly on GeekWire. He consults via Intrinsic Strategy and tweets @FrankCatalano. He will grudgingly admit he had one of the very first aol.com email address when AppleLink Personal Edition became AOL.

  • http://marketingeek.myopenid.com/ marketingeek

    Frank, a great article.  I too have a common email address provided by a large email provider, which I have had since the early 1990s.  I have other people’s addresses, group health accounts, access to their AAA accounts and various websites such as Disney.  I receive invitations to family reunions and multiple years of emails from a young woman attending college through her early career and to marriage.  And these emails continue even when I send them a “I’m not that person” email.

    That doesn’t count the weekly emails with attached business plans, purchase orders, and legal documents sent to an email address given by someone who seems to not know their proper email.  To add a bit more to this discussion, I attended the pii2010 event in Seattle, and discovered that no one in the industry is really accounting for those people with common names, let alone common emails. 

    I have tried as you have to let those sending the emails that it was sent to someone that they did not expect, although I too see folks sign up again and again for services after I unsubscribe or cancel.

    It is more funny than bothersome, but the years of experience has taught me to be very aware of my online identity.

    mg

    • http://www.intrinsicstrategy.com FrankCatalano

      MG, I agree: I find it mostly amusing after all this time, unless it looks like something bad might happen if the intended recipient doesn’t get the message. In those cases, I take extra effort to respond.

      And I applaud your continued vigilance on your own behalf. At least, based on your OpenID profile.

  • http://twitter.com/jimgaynor Jim Gaynor

     A good article, but I think your premise – people are using alternate emails because they don’t want to disclose their real one – is unfounded.

    I too, am an early adopter. I have a short email address @gmail.com, @me.com, and @mac:disqus 
    .com. And at least once a month – usually more often – I get email for someone else. Receipts. Registration information. Banking information. Loan information. Medical information. Past due notices. I’ve received exclusive backstage passes for fashion shows in LA. I’ve received job offers meant for a dentist in the UK. And much more.

    And over the years, I’ve come to a simple conclusion. It’s just user error. On the sender’s part, when they don’t remember that THEIR Tom Doe is tdoe77@gmail.com and just address to tdoe@gmail.com. On part of Tom Doe when, hurried and hassled, he mashes together his tdoe@workplace.com email address and his tdoe77@gmail.com address. And on the part of bad programmers who don’t properly parse strings with characters like “.” and “_”, thus turning doe_tom@me.com to doe@me.com

    The challenge is that more people have (and know to have) personal email accounts – as opposed to earlier years when people used their work account for personal matters. And those personal email addresses are being housed on fewer and fewer services.

    • http://www.intrinsicstrategy.com FrankCatalano

      Jim, my premise isn’t entirely that it’s an attempt at deception that goes wrong. I also note it’s typos and other honest user errors, as you’ve mentioned.

      But in certain cases, it’s clearly because someone wants access but doesn’t want the email disclosure that comes with it — otherwise, I’d be receiving other email meant for, say, Phil, instead of just his Match.com efforts.

      My premise is that not paying attention to the email address that you use can expose your personal and/or private information to others. And I suspect that’s not an outcome they expect.

      By the way, I’ve also received those backstage passes for fashion shows in L.A. I’ve been tempted.

  • purplemaize

     Love your article but I have 9 email address and I rotate them on fb… also every 3 mos. I change my password and I never give my passwords and personal information to anyone.  All my privacy information is set to myself, and what I want people to see is my blogs and that is about it.  Every thing is in my news feed.

    • http://www.intrinsicstrategy.com FrankCatalano

      I don’t think you’re the target audience for the cautionary tale. Sounds like you’re being smart (if not, uh, a bit obsessive — not that I should talk, as I have at least four different email addresses with varying degrees of “public” exposure). But there’s little defense against someone who mis-remembers one of your nine addresses and accidentally sends info to others.

    • http://www.intrinsicstrategy.com FrankCatalano

      I don’t think you’re the target audience for the cautionary tale. Sounds like you’re being smart (if not, uh, a bit obsessive — not that I should talk, as I have at least four different email addresses with varying degrees of “public” exposure). But there’s little defense against someone who mis-remembers one of your nine addresses and accidentally sends info to others.