Privacy Policies Dissolve During Tough Economic Times

In this special issue, Mark Minasi discusses how some companies are disregarding privacy policies and selling customer email addresses.

Mark Minasi

March 28, 2002

4 Min Read
ITPro Today logo in a gray background | ITPro Today

The current economic recession has hit some high-tech firms hard. Some companies in particular seem to have taken hard blows ... to their ethical standards.

Cable modem technology finally came to my area, so I signed up. My cable provider gave me an email account, whether I wanted the account or not, and I don't intend to use it. However, I recently opened that mailbox and found email solicitations for diplomas, Viagra, a view of Britney Spears topless, a lower mortgage rate, and ... well, I'm sure you get the same email.

That mailbox has existed for less than 3 weeks; I had never logged on to it or given anyone the email address. And yet, the mailbox was filled with junk. Nothing in the cable company's printed privacy policy says that the company broadcasts email addresses to the world, but clearly, it does. The company's technical support staff denied selling my email account and said I must have given out the address.

I run my own mail server, so I can create as many email accounts as I want at no charge. Several years ago, I created a new email account and used that account to sign up with a large online stock-trading company. Again, I gave this account's address to no one, but the account immediately began receiving junk email. I was incensed that the company had sold my name, but the company denied it. I explained to a manager why it was impossible for anyone but the brokerage house and me to know this email address. His answer? "We're a big enough firm that people try random strings for names, tack on an @ and our domain name, then try to send email to those addresses." This excuse sounded like balderdash, but it's not the first time I've heard it. I once created a Hotmail account for the sole purpose of testing my mail server and, again, used the account only to email myself. The account soon filled with junk email, and I complained to Hotmail. A Hotmail technical support person claimed the number of Hotmail.com accounts made it worthwhile for spammers to invent random strings and use them as email account names. Is this explanation believable?

In all these cases, I used email names that were eight characters long. Each character can be a letter (A through Z) or a number (0 through 9), so each character position has 36 possible values. That means that 36 to the eighth power possible email names exist, which amounts to just under 3 trillion possible addresses. If you assume that a short spam is about 100 characters, spammers would have to send about 300 trillion characters or 300TB of data through my cable company's or Hotmail's email servers.

Don't you think these service providers would notice that amount of traffic? I don't run a busy site, but when I do receive a lot of traffic, I notice that my Internet connection slows. I would think the service provider would shut down the source of the spam after receiving the first few hundred megabytes of data. (Or maybe not. Perhaps that explains why Hotmail seems to have so much difficulty staying up.)

These examples show that at least three online enterprises disregard their privacy policies. The lack of concern for privacy policies is a shame, but not surprising. Several years ago, Amazon.com announced that it had changed its privacy policy. Originally, Amazon.com let buyers put themselves on a "never sell my information" list; Amazon withdrew that option in 2000 and wouldn't guarantee that it wouldn't sell information collected before the policy change. Did this policy change hurt Amazon.com? Not that I can see: The company posted its first profit in last quarter 2001.

So far, the law doesn't see privacy policies as part of the contract between buyer and seller. And state and national government agencies have been working hard during the past few years to amend privacy laws with legislation such as the Uniform Computer Information Transactions Act (UCITA) and the Digital Millennium Copyright Act (DMCA), both of which help ensure that the balance of power between e-tailers and e-consumers lies with the e-tailers.

I think it's odd that if you steal my digital identity, you could go to jail, but if you sell my digital identity, you might make some good money. Perhaps someday, good legislation or a new moral consensus might change that situation. But until then, gotta go—I just received another 50 junk emails I have to delete ...

Sign up for the ITPro Today newsletter
Stay on top of the IT universe with commentary, news analysis, how-to's, and tips delivered to your inbox daily.

You May Also Like