My email appears in six breaches. Only one of the companies I recognize. I have never done business with the other five.
This pisses me off. Not that the data was stolen -- these things happen. It pisses me off that my data was shared with third parties without my knowledge or consent. And no, a paragraph buried in the basement of a privacy policy does not constitute informed consent.
This system would be more useful if it could report how these companies got my data. I want to know who betrayed me.
It wouldn't be a terrible thing to have privacy legislation that forces companies that sell your data to disclose what information they sold, when, and to whom.
You can run your own email server (or have a company host a private domain for you), set up a catch-all address that only you know, then use a different email address for every site you sign up to. That way you can find out this sort of information.
Using this technique, I know for example that spammers obtained the address I signed up to Stack Overflow with. The email is not shown on my profile now, and I can't rule out that it wasn't ever shown publicly, but evidence suggests they sold my address to spammers. I also know that spammers crawled my website and found a blog post where I stupidly made up a random address using my domain as part of an example for configuring junk filters (the irony is not lost on me).
You can use the + trick and . trick with Gmail addresses too. I think Outlook as well supports the + trick. The only downside to this is that there are plenty of sites that don't accept a + either knowingly or unknowingly.
I think StavrosK meant Fastmail has the service@user.yourdomain.com syntax because "there are plenty of sites that don't accept a +", not because Gmail supports the user+service@gmail.com syntax.
RFCs don't define any meaning to '+' as described in this thread, except that local part of the address should be interpreted locally (usually by MDA), and preserved unmodified during message transfer.
There's no + aliasing in the specs. There's no interpretation defined for local part of email address.
Oh, yes. I meant "+" is an acceptable character to use in the local part of an email address, as per the RFC. I see now where the misunderstanding lies.
I've been doing this for years with Gmail but the issue with breach notification services like HIBP / Monitor is that you can't add wildcards into your search for notifications, so unless I plug in every me+service@domain email variant in, I could be missing being notified.
this isn't a good anti-spam filter though. + addressing (even the fastmail kind) is trivial to parse and I'm 100% sure email harvesters are aware of it.
They can filter out the boxname part of temporal+boxname@mytld.com, but they can't, in general, filter out boxname@temporal.mytld.com - it would break too many things. I guess it's possible to recognize mail for mytld.com is handled by FastMail, but I'm not sure anyone bothers. In my case, almost all spam I get comes to an alias I have in my Facebook profile, and the rest of it to an alias I put on my website - so in both cases, I assume spammers just scrapped the e-mail address.
Fastmail also lets you use aliases to protect your main address. I only give out an alias with an alt domain - something like spam@jm4.eml.cc, linkedin@jm4.eml.cc, etc. No one has my real address. I basically only use it as my username. I give an alias to family. I just delete the alias or filter it to the trash if I have problems with it.
I'd be surprised if many harvesters are going to bother with rules just for Fastmail domains. First of all, they have a bunch of them. Second, the spammers' objective is to get email into your mailbox. They don't care if they use an alias to get there. Bad actors who got your info in a data breach are a different story, but there's probably some safety in numbers. There could potentially be millions of accounts to go after before they start thinking about reversing my Fastmail alias. Besides, if you use one of the generic ones like qq.com or eml.cc - or even better yet, your own domain - they're not likely to notice anyway.
This isn’t to prevent spam, it is to identify the original leak. If the unique email address you gave to company X is used for solicitations by company Y, company X must have given it away.
Depending on my mood and whether the company is local, write a complaint to the company that leaked the address or to an appropriate government institution. In my country, a local computer security news site started a tradition of telling the offending companies that they can either apologize and donate some money to a charity (and send back the proof of payment), or you'll bring the issue up with Personal Data Protection Office, which will be more than happy to fine them.
Most spammers won't go through the of "gaming" it. There's no upside. There are far easier targets to focus on than sending more mail to a single recipient who is more sophisticated.
+ as a magic character to effect routing isn't part of the standard. Mail servers are free to route addresses to mailboxes in whatever manner they see fit. That + can appear as a character in an address is part of the standard, just not the behavior of it; a server that treats a+1@ and a+2@ as distinct emails is conforming, and from a sending side, you cannot know if a+1@ and a+2@ will end up in the same mailbox.
(But you're absolutely right that too many sites fail to parse email addresses. Or rather, they over-parse.)
I believe they were breached relatively recently. If your jurisdiction doesn't require reporting you might not have gotten notification currently or in the past. They may also not know they're breached.
I do this with Fastmail, including specialized subdomains to help me segment the addresses and then distinct email names for each sign up as necessary.
You can also do something similar with Gmail (and probably other providers) using "+" in your username, e.g. "myname+hackernews@gmail.com". This creates a unique email address that delivers to your Gmail account as if the "+<whatever>" were absent. This is more easily defeated if you're a moderately motivated spammer.
Doing something like this is extra work, implying the company in question has either some malicious intent (e.g. spamming, or sharing data with third parties behind users' backs), misguided (e.g. thinking this is a proper way of dealing with user account spam), or just don't give a damn. Either one of these cases reflects badly on such company.
You can reflect it however badly you want, I'm just saying these weren't companies most people would consider shady or cutoff business with over this issue.
Using + isn't the best method as some services just won't allow having + sign in the email address (probably shitty email address detection) and of course spammers can simply strip the alias parts and send you mail.
You'd have a better luck with *@user.your.domain if you can give each user a unique domain.
I used this technique a few times until I realized that spammers and, most importantly, companies that sell their user databases also know about it. So it's actually pretty trivial for them to strip the +something bit before any shady business. Now I don't really care anymore. Most spam are catch automatically anyway. Even when they're not, it's actually a tiny annoyance to me. And what am I going to do if I know for sure that some company sold my data? Sue them? I will most certainly not.
Gmail explicitly ignores '.' in email addresses. I don't think it's standard behaviour across other email systems, though, and even gmail didn't always ignore it.
For a major grocery chain with a Savers Card program, they wanted my name, phone number, etc. They claimed they would not not sell my data. I made up an imaginary name on the spot:
Joseph Kropholer
1. Six months later websites listed a Joseph Kropholer in my town. Unless I actually happened on a real name, they sold me out.
2. Reading the receipt for my name, the clerks in the check out line would thank me with "Thank you Mr Crap Hole-ermmmm. mumble mumble." Then they realize what they just called me. I did not intend that, but it is constantly funny.
Most contracts that keep modern day businesses running work by pretending uninformed consent counts as consent. If we required true informed consent things would grind to a halt. Which may not be a bad thing.
They wouldn't grind to a halt, but a lot of dishonest businesses would find themselves in a world of trouble. Which is all positive in my books. The market will go as low as people allow it to.
I think he means why other five, presumably legitimate, companies have his email address when he never signed-up for them.
My guess is it may be someone like Facebook who used to share "your friends' data" with third-party companies. So one of your friends, who may have your email, allowed a third-party company to get that list of his contacts (including your email) via the Facebook API (which at the time may have allowed this sort of sharing).
Even today, a ton of Android, and until more recently iOS, apps would collect your contact list, which means YOU shared your friends' phone numbers with some random app company. I imagine many of those friends would be pissed off at you for allowing their phone numbers to fall into the wrong hands, too, and now getting spammed all the time (if only they knew how the spam companies got their phone numbers to begin with).
And the only option left is to hunt the breach asking them one by one who's responsible.
Use standard requests and beware of panicked personnel, especially if you bypass executives.
Or the info may have been transfered to third party for "legitimate" reasons, and then "stolen" by an employer of said third party. From the second-hand stories I heard personally, this is a common practice with call centres subcontracted by Polish telcos.
Still, it doesn't matter. Whether the company sold the data or got it taken from them, they are still at fault.
So, I 100% agree with you and think a sentence in multi-page privacy policy is not informed consent.
Recently in EU GDPR regulation brought in some strict measures on how consent is requested and how data is shared and managed, I was delighted when websites started sending me emails asking me for content to market and share data.
However I am now seeing a bunch of websites doing the shady tactic of showing a full page pop-up on mobile site with all 30+ checkboxes pre-ticked allowing them full access of my data. Fuck such sites.
What kind of world do we live in where using a free service and agreeing to explicitly documented T&Cs doesn’t constitute acceptance?
“You provided a contract, and I agreed even though I chose not to read it (despite you providing it), and used the service, but I didn’t really mean to agree” is the most ridiculous cop-out, in my view.
> What kind of world do we live in where using a free service and agreeing to explicitly documented T&Cs doesn’t constitute acceptance?
A world where a clause doesn't become valid just because it's in a contract. That's why various jurisdictions rule void kinds of clauses, even in the US. This isn't a new concept.
Firstly a Contract is a Meeting of Minds, the forty pages of small type in a PDF are nice, but it's laughable that you pretend you thought everybody read those before using your free service. And if they didn't read them, they clearly cannot agree with just every random term you threw in there and so it can't all be part of that meeting of minds, so there is not, in fact, a contract with people with those terms.
OK, so what _was_ agreed? Well, a court is going to decide what a _reasonable_ person thought they were getting into, and they'll use legislation (such as that from the GDPR) to help decide that. They'll also keep in mind a theory about relative power. You wrote these T&Cs, so the court is going to conclude that you should have taken that opportunity to add any terms you really cared about. On the other hand the _user_ wasn't able to edit the terms, so really anything they reasonably expected should probably be acceptable.
The GDPR says that you need to have the user explicitly opt in, they get to reasonably assume that's how it works, you can't change that in the text they didn't read.
You might think, "Aha, but I made them check a box saying they agree they read it". Too bad, that doesn't help for a very simple and pragmatic reason:
Judges are people too. When you explain this theory to a judge, who like other people has had to check loads of these stupid "I agree I have read a 400 page document before using this free service" boxes, they are going to look at you like you just said you think they're an idiot.
If you're thinking maybe you can try this on and see for yourself, you'll probably have to be your own lawyer. Certainly in the UK no competent lawyer will take that work. Years ago the UK passed a law banning certain contract terms in "short" residential leases (a "short" lease would be e.g. renting a house for a year). Immediately scumbag landlords wrote new contracts that said basically "I, the under-signed, agree to these terms even though they're not allowed" and then demanded their tenants sign the revised contract instead. Judges were not happy, and I pity the fool who first appeared in front of a judge trying to argue that this was somehow legal when it's obviously not.
If you're so sure your users want to explicitly agree to let you do this, make it a separate opt-in, like the regulation says. When, to your disappointment, they don't want to, that is a _learning opportunity_ for you. Take it.
Re: this, I'm still fascinated how a contract that both parties are not aware of the existence of is even allowed to be treated as a contract in the first place. In many cases like local software, when you accept the T&C, the other party has no idea this happened in the first place, so they can't even claim to have a contract with you. That you can have a contract with "informed" consent from a party from a party (and interestingly this is regarding the other party, not you the consumer) that has no information about the contract's existence just blows my mind.
Search for "Carlill v Carbolic Smoke Ball Company" [Carbolic Smoke Balls were advertised as a cure for influenza in the 19th century, you may intuit from the fact that we still don't know how to cure influenza per se that they did not work]. An English Court decided that you can make an offer that you've defined in such a way that you won't receive notice of acceptance, and since /you/ made the offer it's your problem. For Mrs Carlill this meant that buying the product, using it as directed in the advert and then not getting better meant she was now owed £100 (which was a large sum of money in the 19th century) by the advertiser even though they had no idea she'd taken their advertising "reward" literally until she showed up demanding her money.
Probably some other mechanism could have been conjured but in our world this decision means contract law is used to manage situations where two parties would clearly benefit by cutting a deal, yet they never meet. Consider a typical car park. You drive into a sign-posted lot, park your car, and leave. Should we require the owner to have staff present to agree a deal with each user? No, it is enough to post signs explaining the general situation, e.g. "£1 per hour or part hour. Pay at machine. Car Park locked at sunset". A court will look at a situation and imply into existence any more detailed terms needed to handle the case in front of them. Is the car park owner liable for damage caused by stampeding elephants? How about if part of the car park itself falls onto a car? If the machine is broken can you still park? What if some scumbag puts an "out of order" notice on it and collects the money?
The "Meeting of Minds" formulation works very nicely. Suppose I think I'm buying a steak dinner, and you think you're selling me a live cow, once the confusion is realised there was no meeting of minds, no contract is formed. We are both embarrassed and go on our way. In the ideal case, both parties understand clearly what they're agreeing, courts never need do anything whatsoever, a good lawyer's goal in creating written contracts is to ensure this is what happens because courts are expensive and uncertain.
I would recommend seeking out an introductory Contract Law (for non-lawyers) course if you're interested, or in any case if you do freelance work or deal with contracts. Just knowing what Offer and Acceptance are can avoid some nasty situations where you might otherwise need to hire a lawyer after the fact.
Interesting history! Thanks for the explanations. Regarding the woman being owed £100 or the parked car etc., I feel like in an ideal world that kind of thing should be easy to resolve 'correctly' without involving "contracts" at all (which in my mind should be defined more narrowly, more on that below) -- e.g., I (1) would have different requirements for enforcing things in the favor of the same party who wrote the terms rather than against them, and (2) feel you can resolve these situations by lumping them into other categories than contracts (if you could define contract law to accommodate this), like maybe "false advertising", "bet", "fraud", "sale"/"purchase", "unfair competition", etc.
The reason is that I feel a "contract" should be limited to conscious agreements on both sides -- and currently, we have contracts where neither is aware of both (one side doesn't know existence, other side either doesn't realize it's a contract or doesn't know all the terms), which is rather... nuts. Why do I think it should be limited to these situations? For a number of orthogonal reasons:
[1] Rules in a contracts are "open" sets rather than closed, so to speak. With something like false advertising, the rules are already set, and (at least in theory) their consequences have been brought up by various parties and taken into consideration by the government, and people just have to play by them. But with a "contract", you're letting arbitrary people make more or less arbitrary rules. Well, it seems natural that if you want to enter the rulemaking business -- society should have a reasonably high bar for that, since after all you intend to later be able to use the same society's government/legal system to enforce your more or less arbitrarily powerful terms against the other party. Requiring that all parties at least be consciously involved and aware of the rules really seems like the least you could do to demonstrate you should be making rules for someone else to play by.
[2] I think the traditional sit-down/signing/handshake is the image most people traditionally think of when they hear "contract", where both parties are aware of its existence and terms, (rather than, say, a parking lot or a ticket purchase). So treating it like this just makes the law reflect the reality that people would expect, which seems like a good thing on its own.
[3] There's an inherent power imbalance simply by virtue of the fact that, quite often, one side has to spend 1/#contracts'th the amount of resources per contract compared to the other, since once you write the contract for the first person then there's next to zero cost for everyone else -- and hence it encourages you to make the terms long and unfair, so that it's not worth it to the other side to challenge them. Really, I see it as something that should be practically a moral duty: if you want to have a fair "contract", with all the force of law behind it, you have to set both parties on equal footing, having humans involved on both sides and aware of everything is really the least both parties can do. It may seem radical... but can you just imagine if every company that wanted to put unfair terms in its contract had to have a representative explicitly tell the average Joe about this and have him consent to it explicitly (instead of just giving him N sheets of paper and having him sign in large blocks he obviously won't read)? People would get so upset and/or would have so much of their time wasted all the time, which introduces inherent friction and negative feedback into this route. It's just so much harder to spend 30 minutes explaining to someone that they have to sacrifice two arms and a leg if they buy your software than to just give them 10 sheets of paper to read while you move on to the next customer.
So these are why I'm not such a huge fan of lumping everything into the "contract" category... they often just seem wrong on so many of these levels.
Is your issue that it’s 40 pages? Is your issue the font size?
What are the criteria that make terms by which one accesses a service irrelevant? At what point does the service provider’s consent not matter?
Your last paragraph seems to assume I am a service provider. I am not. I just think that people should be bound to the things to which they explicitly agree.
Does the “user must scroll to the bottom of the terms and tick a box affirming that they read and have agreed” serve as sufficient consent in your book?
Courts _might_ decide that some terms are acceptable if they are particularly brought to the other party's attention. Bold type and larger fonts are one way to achieve that in a written contract that a court reasonably concludes you would/ should have actually read. Legislation sometimes explicitly requires that a term is highlighted this way.
You're just not going to sell a court on the theory that your free web service has a contract everybody is actually going to read -- so it won't matter how many pages or how large the typeface is.
People being "bound to the things to which they explicitly agree" is actually a problem for a reason I'll get to in a moment, but beyond that the problem for online services and other trivial contracts is that nobody really "explicitly agrees" to them, saying something doesn't make it so, or else all those things Jefferson claimed to be "self-evident" truths wouldn't require any effort to uphold.
Now, even when we actually _have_ agreement, not just somebody clicking OK to make the computer stop bugging them, we still run into a problem. Some terms are inherently prohibited in our society. You simply cannot agree to them even if you want to.
One of the recent big breaches was from Apollo and when I searched for information on that, I found that they built their database from scraping the web.
> It pisses me off that my data was shared with third parties without my knowledge or consent
But you knew when you signed up to everywhere you've ever signed up that you were giving them uninformed consent to do whatever they want with your data and metadata, and you knew that they would do whatever they want, including not bothering to effectively protect your data.
And yet you signed up.
And so have I. But since this kind of thing has become front of mind the last few years, I sign up for very few to none services anymore. At signup, my first thought is "Is this service important enough to lose my money and identity for?" The answer is virtually always no.
If we stop signing up for stuff, stuff will improve or die. Both outcomes are equally good.
This pisses me off. Not that the data was stolen -- these things happen. It pisses me off that my data was shared with third parties without my knowledge or consent. And no, a paragraph buried in the basement of a privacy policy does not constitute informed consent.
This system would be more useful if it could report how these companies got my data. I want to know who betrayed me.
It wouldn't be a terrible thing to have privacy legislation that forces companies that sell your data to disclose what information they sold, when, and to whom.