The interesting bit is this:

3) Banning pre-ticked boxes on websites

When shopping online – for instance buying a plane ticket – you may be offered additional options during the purchase process, such as travel insurance or car rental. These additional services may be offered through so-called ‘pre-ticked’ boxes. Consumers are currently often forced to untick those boxes if they do not want these extra services. With the new Directive, pre-ticked boxes will be banned across the European Union.

I had the pleasure of meeting some of the Mailchimp legal staff last year when I was down there to do on-site training for their abuse desk employees. I was quite impressed with them and their understanding of privacy and email issues.

There was an interesting post by Romer over on his personal blog. If you don’t know, Romer helps maintain one of the commercial mail filters. He recently got spammed by one of his vendors and talked about how this is probably not the best idea. Al adds his own take on companies assuming permission. I’ve talked about taking permission in the past but haven’t touched on things like “spamming the guy who runs the filter.”

You’d be surprised, or maybe you wouldn’t, about how many people who run filters for large organizations get spammed regularly. You wouldn’t be surprised to find out that those people do factor in their own personal spam load when adjusting their organizational filters.

The 6th circuit court ruled that the government must have a search warrant before accessing email. The published opinion is interesting reading, not just because of the courts ruling on the law but also because of the defendant. Berkeley Premium Nutraceuticals toyed with spamming to advertise their product as a brief search of public reporting sites shows. The extent and effort they went to in order to stay below the thresholds for losing their merchant accounts is reminiscent of the effort some mailers go through to get mail through ISP filters.

The other bit of interesting reading is the Microsoft motion to dismiss the case brought against them by Holomaxx. It is a relatively short brief (33 pages) and 3 of those pages are simply a listing of the relevant cases demonstrating ISPs are allowed to filter mail as they see fit. 2 more pages are dedicated to listing the relevant Federal and State statutes. I strongly encourage anyone considering suing any large ISP to to read this pleading. These lawyers understand email law inside and out and they are not going to mess around. They also have both statute and case law on their side. They point this out before the end of page 1:

Holomaxx’s claims against Microsoft are without merit. First, Claims 3-6 and 9—based on Microsoft’s filtering of Holomaxx’s e-mails—are barred by the Communications Decency Act of 1996 (“CDA”), 47 U.S.C. Section 230. The CDA explicitly exempts service providers such as Microsoft from liability for filtering of objectionable content, including objectionable e-mail.

Through the CDA, Congress immunized Microsoft from precisely the sort of liability that Holomaxx seeks to impose here. Indeed, one federal court recently held that claims based on e-mail filtering were barred by the CDA. See e360Insight, LLC, 546 F. Supp. 2d at 609-610. The same analysis should be adopted here. Further, even accepting Holomaxx’s allegations as true, every cause of action based on Microsoft’s filtering activities (Claims 1-6 and 9) independently fails to state a claim upon which relief may be granted, as Holomaxx has failed to allege legally sufficient facts and puts forth theories that are unsupported in the law.

Suing ISPs to force them to accept mail is a failed business model, the law is just not on the senders’ side.

Consumerist has a case up about email policy gone wrong with a clear path to harm but no policy for handling the issue. There are a couple places I see where this policy hole can be fixed.

Chase Bank does no verification when they collect email addresses, which results in them sending email to a person who does not have an account with Chase. This is not an ideal situation for anyone. Chase is revealing private financial information to an outside party, the actual bank customer is not getting their information and someone is getting email about money that’s not theirs.

In terms of policy for institutions handling sensitive personal information, I would always recommend implementing a verification step. This is mail that people want so they should confirm it. It’s also mail that really should be not going to 3rd parties.

Chase does not implement any verification step for email. This isn’t a fatal problem, as long as there is some process in place to get feedback and then correct the issue.

Unfortunately, Chase’s policies failed here, too. Chase requires an account number to speak to a representative about any issues. In this case, the email recipient does not have an account number. All of Chase’s contact channels rely on an account number: no account number, no talking to a human.

In terms of overall policy  Chase is hoping here is that, at some point, their actual customer will notice they’re not getting email and call in and attempt to troubleshoot the problem with Chase reps. I’m willing to bet, though, that their tier 1 people don’t have the training or information needed to troubleshoot this problem. I expect they’re going to read the script that says, “We sent you the mail, it must be a problem on your end. Have a nice day.”

Chase, and other bank analogues that require an account number, that do not verify email addresses should not require account numbers to talk to someone about the mail they are receiving. Why? Because although it’s reasonably rare that the mail is going to the wrong party, the potential harm to the bank’s customer is very high. This danger to customers means the bank should invest in a support pathway that allows non-customers to call, or write, to report misdirected email.

If Chase were my customer, I’d recommend adding a button to the email that says “receiving this mail in error, report here.” Make this a simple form that the recipient can fill out, two boxes one for email address and one optional one for “reason”. Once the bank has the report, they can stop the misdirected email and attempt to contact the customer through another channel. I’d also recommend that customers confirm any new address they add to the account in the future.

I know the bank thinks that by requiring an account number they are protecting their customers. Unfortunately, they’re failing to address a rare but potentially harmful case. Sadly, I expect even after this, they will still fail to implement any changes that will stop this from happening in the future.

It’s a tough call and one I think about as I see mail coming to my mailbox to such addresses as laura-sony and laura-quicken and laura-datran. All of these were addresses given to specific companies and where I attempted to opt-out of them sharing my data with other companies. Somewhere along the line, though, the addresses leaked and got into the hands of spammers.

Those addresses are overwhelmed with spams and scams. The frustrating part is there is no way to fix it. Once the addresses are leaked, they’re leaked. They will be receiving spam throughout eternity, even if the companies involved stop selling data or fix their data handling problem.

I don’t know what to do, honestly. If I think it was a one time thing, such as the addresses that started getting spam after the iContact data leak, then I’ll change my address at the vendor and retire the address the spammers have. But with other vendors, I don’t know what happened and I suspect the vendor doesn’t either, and so I can either deal with the spam or hope that I don’t lose real mail from that vendor.

There’s no easy answer. Any time you hand over an email address, or any other form of personal data, you’re trusting in the company, all of their employees and all of their vendors and partners to be honest and competent. This is often not the case.

What do you do?

WARNING: Google Buzz Has a Huge Privacy Flaw

Fugitivus Blog (possibly NSFW due to language)

A dangerous buzz and opt-in isn’t just for email

How Google Buzz just blew your psuedonym

Lifehacker has a number of posts about Google Buzz and how to reset your settings.

I’ve already seen tweets and social media recommending using the networks generated by Google Buzz for marketing purposes.

I’m not very impressed with what I’ve heard about Google Buzz and the total lack of control it gives people over sharing information. I used to be very open with my information online, down to identifying the lab I worked in. I then said something on Usenet that upset someone. That person spent the next 4 months harassing me by phone at work and at home, and even went so far as to dig up my boss’ home number and harass her at home. I’ll be honest it was a scary experience. Even though I knew my stalker was 1500 miles away and extremely unlikely to actually show up on my doorstep, I was still worried for my safety.

That experience made me a lot more cautious about what I share online and how much information I give to people. Google Buzz seems to take a lot of the control of my information away from me. Which is why you won’t find me participating in the Google social network.

UPDATE: And here we go: Win a free laptop by following Hubspot on Google Buzz

Privacy Policy posted in local auto repair shop

The full text of the notice.

WEBSITE INFORMATION:
When you visit the QualityTuneup.com website you are providing information about your visit to Kihon Media. We know which pages you visited, what is downloaded and which domains you come from.

PROTECTING YOUR PERSONAL INFORMATION:

Our policies to protect your personal information are:

• To use physical, electronic and procedural safeguards to protect your personal information
• We do not share any of your personal information with third parties.
• To require our employees to keep personal information confidential.
• To authorize only those employees who need personal information to perform their dutues to access such information.

That’s a more readable and understandable privacy policy than most I see on websites. If a little garage can provide such an understandable and readable privacy policy, how is it that so many email and internet experts fail to do the same?

One of my disposable addresses has been getting heavily spammed from mylife.com. The subject lines are not just deceptive, they are provably lies. The mail is coming from random domains like urlprotect.com or choosefrequency.com or winnernotice.com advertising links at safetyurl.com or childsafeblogging.com or usakidprotect.com.

The spam all claims someone is “searching for…” at their website. The only thing is, the email address is associated with a fake name I gave while testing a website on behalf of a client. I know what website received the data and I know what other data was provided during the signup process. I also know that the privacy policy at the time said that my data would not be shared and that only the company I gave the information to would be sending me email.

Just more proof that privacy policies aren’t worth the paper they’re written on. But that’s not my real issue here.

The real issue is that I am receiving mail that is clearly deceptive. The subject lines of the emails up until yesterday were “(1) New Message – Someone Searching for You, Find Out…” Yesterday, I actually clicked through one of the messages to confirm that the emails were ending up at mylife.com. After that, the subject lines of the emails changed to “(1) New Person is Searching for You.”  I don’t know for sure that my click has caused the change in subject lines, but the timing seems a bit coincidental.

It’s not that someone, somewhere gave mylife.com bad data, or that someone typed a name into the mylife.com search engine and the mylife.com database showed that name and my email address were the same. Neither this name or this email address show up in a google search and I can say with certainty that this is a unique address and name combination given to a specific website. Therefore, the subject lines are clearly and demonstrably lies.

The spams are also coming from different domains and advertising links in different domains. The content is identical, the CAN SPAM addresses are identical. While the court may not rule this is deceptive under the rules of CAN SPAM, it certainly is an attempt to avoid domain level spam filters.

Who are mylife.com? Well, their website and the CAN SPAM address on their spam claims they are the company formerly known as reunion.com. I’ve talked about reunion.com here before. They have a history of harvesting addresses from users address books. They were sued for deceptive email practices under California law, but won the case just recently. They seem to think that the court case was permission to send deceptive email and have thus ramped up their deceptive practices.

If you are a legitimate email marketer, there are a couple take home messages here.

1) Spammers send mail with different domains, from different IP addresses, that contain identical content, landing pages and CAN SPAM addresses. Legitimate marketers should not rotate content and sends through different domains or different IP addresses. Pick your domain, pick your IP and stick with it.

1a) Spammers use randomly chosen domain names and cycle through domains frequently. Legitimate marketers must not use unrelated domains in marketing. Use a domain name that relates to your product, your industry or you.

2) Spammers send mail with deceptive subject lines. Legitimate marketers should make sure their subject lines are clear and truthful.

3) Spammers send mail in violation of the privacy policy under which information was collected. Legitimate marketers should be very careful to handle data in accordance with their privacy policies.

That’s what spammers do. Is that what you do?