This one goes out to you, Herbert. And to you, Phil. And yes, even you, Correspondent-Who-Will-Not-Be-Named.
I’m afraid you’re all idiots.
Because you are case studies showing that no matter how fervent the hue and cry is about Facebook’s privacy policies or tracking cookie abuse by marketers, a major threat to individuals’ privacy — and perhaps security — on the Internet stares at them from the reflection in their LCD screens.
And I can prove it with one email address.
I mean, really, Herbert. Confirmed purchase of The Coming Economic Armageddon (with your receipt), new subscription to The Heritage Foundation Email Alerts (with your full contact information), and membership in FreedomWorks’ Take America Back Campaign (with your account information), all within four days? Good thing I was able to print out the receipts and confirmations and, with the physical address the messages gave me access to, mail them to your home for your records.
Or how about you, Phil? You signed up for Match.com in December, and I received your confirmation with your login, password, ZIP code and birth date. Not wanting to receive your matches for both my, and my marriage’s, sake, I deactivated the account, thinking you would use your correct email when you tried to register again. No such luck. In April, apparently desperate for companionship, you twice more reactivated it using my email address. And I was honored with your first “premium” matches.
I tracked down Match.com customer service and convinced a nice customer service person to permanently block my email address. But poor Phil. Apparently you don’t realize you will NEVER get a date if you can’t provide potential mates with accurate contact info.
Those are just the most memorable misdirects. Over the past 18 months, there have been more than one hundred. I’ve:
- been reminded of my Chem-Dry of Albuquerque appointment and advised to, “have the animal members of your family safely secured.”
- wound up on a recipe exchange. (A what?)
- been asked to order “Cassandra” a size 30-40 swimsuit by a Canadian care agency.
- received multiple Doubletree and Hilton confirmations for one guest over time, including reservation numbers and the ability to cancel or change reservations. (I didn’t.)
- been issued print-at-home tickets by Live Nation for the Gramercy Theater in New York (whoever Mario and Fabulous are), and sent Fandango Bucks gift receipts.
- received legal documents, repeatedly, for two different real estate cases in Florida.
- been hassled by CareerBuilder.com who thought I was Katrina and kept prompting me to finish a resume, ignored three removal requests, and generally made it a challenge to get off of their list.
- been added to the Crate and Barrel and Bloomingdale’s wedding registries, plus contacted twice by a wedding planner, all within 72 hours. (I don’t think Phil was involved.)
- been invited to enter a horse in a thoroughbred derby in Sunland Park, New Mexico. (Which, admittedly, sounded cool.)
I’m no slime ball. I have been careful not to reveal too many specifics about any instance, nor have I ever misrepresented myself as the intended recipient. I’ve even tried to fix situations that might have gotten worse without a response indicating the sender had reached the wrong person.
After all, some are honest errors or typos. Such as when I was added to the Faculty Council of Community Colleges in New York and had an account created for me at SUNY, complete with emailed username and password. My contact attempts led to a nice conversation with someone who may actually be a relative from Sicily. Or when I was invited to a Boxing Day lunch in Bangkok and engaged in some interesting cultural information exchange about “the duck.”
Still, trying to point out a mistake can be futile. After gently trying to correct Ben, sender of several emails over several days, that I was not the relative he meant to reach, he followed up with, “Do you know a Frank Catalano? I got three messages from him … I only opened one.” He then sent me and his wife’s full confirmation information from AirTran Airways.
Lessons learned for individuals? Don’t expect a made-up or unconfirmed email address won’t send sensitive information to someone else, any more than a made-up or incorrect postal address might deliver a package to the wrong place. (I mean, if you need a decoy e-mail address, sign up for a second free account and don’t check it.) Businesses? Don’t just let message recipients unsubscribe, have a mechanism in place to allow them to report email that goes to the wrong address – just as the U.S. Postal Service does.
In any case, I doubt my experience is unique. This type of privacy — and possible security — leak is probably all too common. And completely preventable. You could say the same about any self-inflicted wound.