<<< Date Index >>>     <<< Thread Index >>>

[IP] busted selling off email addresses to spammers




Delivered-To: dfarber+@xxxxxxxxxxxxxxxxxx
Date: Thu, 30 Oct 2003 01:38:34 -0500
From: Alexandros Papadopoulos <apapadop@xxxxxxx>
Subject: busted selling off email addresses to spammers
To: Dave Farber <dave@xxxxxxxxxx>

Hi Dave!

The short version
=================
I have very good reason to believe that orbitz.com sold off my private
information, in breach of their privacy policy. I told them about it
and they ignored my complains. What can I do about it?

The long version
================
Whenever I need to supply a legitimate email address to some company/
organization, I add a distinguishable comment to my email address. As
you know, the address apapadop@xxxxxxx is exactly the same with
apapadop+anicebutterfly@xxxxxxx - so anything after the plus sign (+)
is ignored, and the message is delivered to my mailbox. This way, if I
get spam that is addressed to that specific commented address, I can
know who sold me out.

So, I've been doing business with orbitz.com lately. They need an
account with a valid email address, so I used apapadop+orbitz@xxxxxxx -
which I obviously had never used for any other purpose before.

A few days ago I received spam on that very address, with that very
comment embedded. Now, CMU has generally pretty good spam filters
(which I use to the furthest possible extent), so I don't know how many
spam messages addressed to me I *don't* receive each day. But this one
came right through and was delivered to my mailbox, HTML, offering to
"increase my confidence" and all...

So I sent an email to orbitz.com's customer service center, telling them
what happened, reminding them of their privacy policy that states that
"we will not disclose your Personal Information to third parties unless
you have authorized us to do so", attaching the spam message etc.

Unsurprisingly, I got a canned response that detailed how orbitz.com
uses "market-leading firewall technology" and "industry-standard
encryption technology", and remind me that this spam message was not
sent by orbitz.com - as if I ever accused them of spamming me.

"The e-mail you are referring to may have been sent to you from an
alternate source who achieved (sic) your e-mail address from another
website." - also sprach orbitz.com

Well, I only gave this email address to *them*, and now it's in the
hands of spammers. Sure, it's *possible* that some evil cracker stole
my valuable email address while orbitz.com's cleartext email message
was being routed from their domain to the CMU mail server, but that's a
little too far fetched.

The overwhelmingly probable explanation is that orbitz sold this
information to a business partner, without my consent. After I sent
them a reply, explaining why their initial reply to my request for
information was unsatisfactory, I got no further response.

What can a netizen do to protect his/her privacy when such an evident
breach of contract has occurred?

Cheers

-A
--
http://andrew.cmu.edu/~apapadop/pub_key.asc
3DAD 8435 DB52 F17B 640F  D78C 8260 0CC1 0B75 8265

-------------------------------------
You are subscribed as roessler@xxxxxxxxxxxxxxxxxx
To manage your subscription, go to
 http://v2.listbox.com/member/?listname=ip

Archives at: http://www.interesting-people.org/archives/interesting-people/