Monday, April 04, 2011

How to protect yourself from future "Epsilon" breach

Your e-mail address was only exposed (1) you gave it to the company and (2) if you selected “Please send me e-mail notfications”.

I’ve done business with many of the companies involved (TiVo, Citibank, AmEx, BestBuy, Disney, Fred Meyer, Fry’s, Hilton Honors, Kroger, Marriot Rewards, Visa, Walgreens), but only TiVo sent me e-mail. That’s because I lie when they ask my for an e-mail address most of the time (when my e-mail address isn’t necessary) -- and when the e-mail address is necessary, I make sure I click the box saying that I don’t want marketing spam. TiVo recently started sending me marketing spam -- apparently, it decided to forget my preference.

But even then, it wasn’t the correct address. I have three addresses: a public facing address that everyone knows (, a private address I give to friends and family, and an e-commerce address that I only give out to companies. Therefore, if I receive PayPal phishing messages, I know they are incorrect, because they are sent to my public address. (I’ve never gotten phishing e-mail on my e-commerce e-mail).

You don’t have to give out private information if you don’t want to. I recently went to Japan to my brother’s wedding. I checked in at the same time as my parents. We were handed forms to fill out, with things like name, address, phone number, e-mail address, and so forth. I filled in my name and handed my form back. My parents looked at me as if that was some unforgiveable sin -- they had filled out the form completely, including e-mail. But it’s not a sin, or antisocial. THEY are the ones being antisocial, because THEY will spam you if you give them your e-mail address. They say they won’t, but of course, they will.

Usually, when I hand them empty forms, they ask why I don’t fill them out. The conversation goes like this:
Them: why didn’t you fill it out?
Me: I don’t want spam and junk e-mail.
Them: We would never do that.
Me: Okay. Do you have a privacy policy that promises you won’t?
Them: What? I’ll have to check with my manager. (some moments later). Yes, here it is.
Me: (eyes scan down the page) It says here that you “won’t use the information, except for products and offers we or our partners think you might be interested in”. That means spam and junk mail.
Them: We would never do that.
Me: Do you have a privacy policy that promises you won’t?

If they continue to insist, I ask “can I lie?” -- and then provide them the (incorrect) information they ask for. It’s an ethical thing: I could’ve lied to begin with, and saved us both a lot of time. But I feel better when they know I’m lying.

It’s odd -- employees don’t really care. They are focused on getting the form filled in, not that it’s correct. The AT&T store employee knew I was lying, but sold me the phone anyway. I get a monthly SMS from AT&T complaining that my address is incorrect, warning me that I should call them and tell them my correct address. This has been going on for 3 years now.

My solution to the Epsilon breach is simply to create a new private e-mail account for e-commerce. I’ll either change the address for the few accounts I care about (like NewEgg and Amazon), cancel the other accounts, and then monitor that account for spam resulting from the Epsilon breach. My public e-mail and private personal e-mail accounts will remain unaffected.


KiltBear said...

Early on, mid 90's to early 00's I would give every vendor their very own email address. For example, would get

Only once did I ever catch someone handing out the email address and have it used "inappropriately." The original company contracted with a 3rd party to handle message boards, and the message board company spammed me.

The original company seemed very happy that I was able to pinpoint this for them and they got it resolved.

Now everyone gets the same gmail address and I don't worry about it.

Jonathan Kidder said...

People won’t just stop using email. What we need to do is help educate subscribers so they don’t fall victim to scams. We need to make sure the email systems we use are keeping up with the latest security procedures. And we need to keep looking to the future.