Ever had to register to buy online - and been PELTED with SPAM?

Way to thank me for being a customer, man...

Reducing security risks from open source software

Spam has been a fact of life, on a par with death and taxes, for many years now. To be blunt, spammers don’t particularly care about us. They don’t have any sense of reason or shame that we can appeal to, and they have no incentive to be accommodating. We’re not their customers. In fact they make their money from selling us, not selling to us, so they have an excellent motive not to help us.

Trying to unsubscribe from a suspicious email list using the prescribed method, or any other seemingly logical approach, is the worst possible thing to do — it merely confirms that your email address is in use, paradoxically making it even more valuable to the spammers for their malign purposes. About all anyone can do is use junk filters or packages like SpamAssassin and hope for the best. All this is well known.

However, a lot of spam comes from ostensibly legitimate online businesses that you’ve actually made purchases from. This may technically not be in the same category as the utterly useless, purely evil variety of spam, but it’s effectively no different: It’s email that you never requested, sent to a list that you never asked to be signed up to. Anyone who’s made any number of purchases online has probably seen the noise level of this other kind of spam skyrocket over the years.

It’s no mystery how this happens: For the vast majority of web or mobile transactions, you’re forced to register with the seller, establishing an account linked to your home address (possibly) and your email address (definitely). There are other annoyances connected to this process, like creating a userID and password, both of which must be added to the dozens or hundreds of other userIDs and passwords you’ve already been asked to create and keep track of. But to anyone who’s overwhelmed with email they don’t want — at this point, pretty much everyone — being added to a new mailing list every other time you buy something is surely the biggest annoyance of all. It’s not inconceivable that someone making an online purchase from, say, a discount wine seller might want to be notified about any amazing wine deals the vendor may offer at some time in the future.

But in most cases you, the buyer, are not asked that question. You’re literally forced to register before you’re allowed to place an order, which means handing over your email address and all the rest. True, some sites allow you to make an “express purchase” without registering (and as the name implies, this has the additional benefit of making the checkout process itself much faster), but those are rare and getting rarer.

There’s one important difference between these “soft” spammers and the faceless, unapologetic, evil ones: We’re actually customers of the former, so it’s presumably in their interest to be nice to us. But as site registration becomes accepted as a natural part of the online shopping process, it, and the soft spam resulting from it, will be seen less and less as an intrusion. My concern about this doesn’t necessarily have anything to do with privacy invasions through the gathering of personal information, though I’m sure some people, reasonably enough, are uncomfortable with that. (How would you feel about “registering” with every bricks-and-mortar shop you buy something from?) For me, it’s mainly about getting email for the rest of my life from an online vendor simply because I made a casual purchase from them at some point in the past.

I still receive mail from companies whose sites I haven’t visited in years and years, including sellers of clothing for toddlers — not especially useful now that my daughter is 10. I’m not nostalgic, but I’m sometimes afraid to gamble with an unsubscribe request to terminate one of these unwanted relationships. Will a particular company be honorable about it? There’s no sure way to know. The least scrupulous companies will not only be using your address themselves, but enthusiastically selling it to other parties, who sell it to other parties, and so on. This does not exactly enhance the online shopping experience, and it’s no way to repay people for their patronage.

There have been times when, giddy at the thought of saving $5 on some sale item, I’ve registered on a new e-commerce site, only to regret it in the cold light of the morning, when I realized that it would have been worth the extra five bucks not to give my email address to some unknown new set of spammers, forever. On more than one occasion I’ve gone so far as to make a purchase from Amazon rather than a company I preferred (because it was smaller, or more local, or had a better price) simply because Amazon already has all the personal information on me that they could possibly want. Going through the time-consuming steps of registration, and implicitly signing up for some new set of email lists, was just not something I wanted to deal with. There’s no reason making a simple online transaction should entail these kinds of worries.

Possibly even worse than having a retail business capture your email address via registration is having a charity do it. I’m not talking about traditional donations, which can generally still be made by way of a cheque sent through the post. It now seems to be the rule that when anyone participates in a race or walkathon to raise money for charity (something co-workers or relatives of mine do at least a few times a year) the request for sponsorship is made by email, with a link to a website where the donation must be entered. These sites always seem to require registration, followed by — you guessed it — periodic emails telling you about all the great things the organisation is doing, or gently nudging you to give more. Again, there’s nothing inherently wrong with any of this if I’ve indicated that I’m OK with it. But why should making a donation require me to be on your email list (and possibly other affiliated ones) from that moment on? These cases pose a real dilemma, because if a friend, relative, or co-worker is asking for sponsors for her 10K run to benefit cancer research I’m not about to say no. I’ll admit, however, that the temptation has been getting greater.

Spam in general is so completely out of control that the old retort of “What’s the big deal? It’s easy enough to use your DELETE key” doesn’t wash anymore. I’m afraid to think how much time I spend every day using my DELETE key, and I’m sure there are people who spend a lot more than I do. It’s way beyond a minor annoyance to be added to “just one more” email list, because that “just one more” happens many times over. And again, this isn’t even taking into account the issue of privacy (with the associated profiling, tracking, etc), which is very real. There’s not much I can do about Nigerian scams, but it seems clear that legitimate businesses should allow me to perform a simple transaction and be forgotten, if that’s my preference. Yes, they’ll need my postal address, but they don’t necessarily need my email address, and if they do need it for purposes of completing the transaction there’s no reason they need to sign me up for spam forever as a side effect. Who knows — I might actually want to be added to their mailing list, but I should be allowed to make that decision voluntarily. The customer’s always right, right? ®

Mobile application security vulnerability report

More from The Register

next story
LibreSSL RNG bug fix: What's all the forking fuss about, ask devs
Blow to bit-spitter 'tis but a flesh wound, claim team
Microsoft: You NEED bad passwords and should re-use them a lot
Dirty QWERTY a perfect P@ssword1 for garbage websites
Manic malware Mayhem spreads through Linux, FreeBSD web servers
And how Google could cripple infection rate in a second
NUDE SNAPS AGENCY: NSA bods love 'showing off your saucy selfies'
Swapping other people's sexts is a fringe benefit, says Snowden
L33t haxxors compete to p0wn popular home routers
EFF-endorsed SOHOpelessly Broken challenge will air routers' dirty zero day laundry
Own a Cisco modem or wireless gateway? It might be owned by someone else, too
Remote code exec in HTTP server hands kit to bad guys
British data cops: We need greater powers and more money
You want data butt kicking, we need bigger boots - ICO
Crooks fling banking Trojan at Japanese smut site fans
Wait - they're doing online banking with an unpatched Windows PC?
prev story


Top three mobile application threats
Prevent sensitive data leakage over insecure channels or stolen mobile devices.
The Essential Guide to IT Transformation
ServiceNow discusses three IT transformations that can help CIO's automate IT services to transform IT and the enterprise.
Mobile application security vulnerability report
The alarming realities regarding the sheer number of applications vulnerable to attack, and the most common and easily addressable vulnerability errors.
How modern custom applications can spur business growth
Learn how to create, deploy and manage custom applications without consuming or expanding the need for scarce, expensive IT resources.
Consolidation: the foundation for IT and business transformation
In this whitepaper learn how effective consolidation of IT and business resources can enable multiple, meaningful business benefits.