Opt-in vs. Opt-out

Sarcasmo writes: "The Internet Law Journal has a very in-depth piece on the issue of opt-in vs. opt-out that takes on the good and the bad from both sides. How the current situation will (or will not) be handled, will depend on what conclusion lawmakers come to on this core debate. An opt-in requirement is TILJ's conclusion. What's yours?" This is a good, well-reasoned analysis - exactly the type of analysis that holds no weight in legislatures.

Opt-out is a cop-out.

[Tackhead]

Just a friendly public service reminder for those of you in the USA:

When your bank or brokerage sends you a copy of its privacy policy, full of ambiguous language, and saying "Since we protect your privacy, there's no need for you to opt out of our information sharing among our family of companies", do two things:

1) Opt-out. Yes, it means writing a letter and putting a stamp on it. Deal with it.

2) In your letter, mention that you're opting-out because it's your only option available under the law, but that you're doing so under protest - and that you consider anything less than opt-in a violation of your privacy rights. Congratulate the bank on coming up with a wording ("information sharing") that sounds so harmless that most consumers are unlikely to realize what it really means.

3) Print out a second copy and send it to your Representative and Senator. Use proper "Cc:" snail-mail etiquette -- you want your bank to know you're telling your Congresscritter, and you want your Congresscritter to know that your bank knows.

Thank the critter (especially if he or she voted for it) for the new privacy law that's forced banks to do this very small ("opt-out") notification. Tell them that you realize the bank (or more accurately, the DMA, on request of its members) to use a low response rate to this "you have an opportunity to opt-out" mailing campaign as "evidence" that the consumers really do like to eat their spam, "or they'd opt-out, but since 0.00001% actually bothered to opt-out, the other 99.99999% must like receiving special offers through the mail and telephone and email!".

Tell your congresscritters that silence does not imply assent.

You know the argument's bogus. But the DMA, with millions of dollars in lobby funds, is gonna try to make it. And they'll succeed, unless you - yes, you there, behind the keyboard - get off your ass and do something.

Silence does not imply assent. But the DMA is going to try very hard to convince your congresscritter that it does.

The logical response is to deny the DMA the silence it needs to pull off the scam.

Fraud Detection

[pjrc]

The Direct Marketing Association (study) makes an interesting point:

Since an "opt-in" approach reduces the amount of information available to sellers regarding the consumer's preferences, spending habits and typical behavior patterns, it hampers sellers' efforts to detect "unusual" purchases and alert the consumer to possible fraud.

Several months ago, we set up a tiny business and visa merchant account to do a bit of e-commerce from our little web site, and since then we've had a couple attempted fraudlent transactions. This is a brief story about what information we have available as a (tiny) merchant, with the current state of today's information sharing.

When we get a suspicious transaction, which usually means the shipping and billing addresses are very different, the first thing we do is stall. Normally we process the order in the afternoon when there's just enough time left to get to UPS or the post office (but since this is only a part-time effort, sometimes I'll do it at lunch time or some other window of opportunity... worst case in the next morning before work). For a suspicious order, stalling a day or two and then attempting to run the credit card almost always ends up in the card being declinded. Often times we'll get transfered to an operator who instructs us to hold the card (not give it back to the customer), but since we only do on-line orders and don't have a brick-n-morter store, that's not possible.

A couple months ago, we had a very interesting fraudlent transaction that didn't get declined. Robin immediately recognized that it was similar to another declined card from a few weeks prior, where the shipping address was to Indonesia and a billing address in the US, where the billing name was an anglo-sounding name, and the shipping name was the same last name, but an obviously eastern sounding first name. The order was placed on a Friday, so we waited and ran the card Sunday evening. We expected it to be declined, but it went through.

Now at this point, a giant database of all the spending habits of every card holder (or at least the one for this particular card) would be nice. I'm sure lots of people at the Direct Marketing Association dream of such a database, as is eluded to in section 1.B of the article, but the sad fact is that as a (very small) merchant, all we have is whatever information the customer typed into the form on our web site, and the phone number of our bank and credit card processing company (Nova in our case).

So, Robin called the bank, and not quite knowing exactly what to do, she said "I've got a transaction here that I'm not very comfortable with". They did the usual address verification, and the US address we received didn't match the card's billing address. The bank will never disclose the card holder's actual billing address... you only get "match", "partial match" or "no match". The operator did actually disclose that the zip code matched. They couldn't do much more, but they gave Robin the number of the bank that had issued the card.

Then Robin called the card holder's bank, and started a similar "I've got a questionable transaction here" conversation. They were really glad that we called... they really like it when merchants call if they see anything unusual. Again, the bank would not disclose any details to us about the card holder. They would not disclose any specific details about the card holder's purchase history. They did look into the history and warned us that the card holder had contested the charged from several internet-based purchases. The bank had the card holder's phone number on file. They would not give us the phone number, but they called the card holder for us and transfered us into the call. The woman wasn't home, but Robin got her answering machine and left a message with our number to call and confirm that she had actually placed an order with us.

By the next day we hadn't heard back, so we reversed the charge to the card and sent an email to the contact address that we could not process the order due to having the incorrect billing address, and that we would process it when we received a voice phone call.

As compelling as the Direct Marketing Association's arguement is, that a giant database of consumer spending habits would be useful in combatting fraud, the truth is that there is already a pretty good system in place that doesn't disclose almost any private information to merchants. The banks have this information, and they automatically monitor spending patterns on all credit cards and place a hold on cards that appear to be abused. Anyone who's made a few large purchases in a row has probably received a call from their bank to confirm. When a merchant has a questionable transaction, they can call their bank and ultimately the customer's bank. While the banks won't disclose virtually any private information about the customer, they are very helpful when it comes to detecting fraud. In almost every case, they manage to decline new transactions when there's been unusual spending patterns, and in the rare cases where the bank hasn't already placed a hold on the card, they are very helpful and effective without disclosing the card holder's private information.

How do I opt out of zillions of email addresses?

[Skapare]

I have zillions of email addresses. Since I own whole domains, any username on any of them used exclusively for myself will come to me. So I should have a right, under an opt-out system, to opt-out of them all, right? If the opt-out system won't take domain wildcards, then I have no choice but to opt-out of each and every discrete address, in advance. Assuming usernames are made from just English letters and decimal digits, and run up to 8 characters, then I will need to do 2901713047668 opt-outs. That overflows an unsigned 32-bit integer 675 times. Then there are usernames with dashes, dots, underscores. And they can be longer (I've used as long as 60 and I bet it can go way more than that). Oh wait! I also have zillions of subdomains, too, with the power of wildcard DNS entries that have MX records.

In order to opt out just with that number I gave above, and to get it done within a year, I'd have to send in, and they would have to process, 91951 opt-outs EVERY SECOND of the whole year!