What to Do When Company Breaks Privacy Agreement?

Mustang Matt asks: "Earlier this month, I caught ALXNet redhanded in breaking their own agreement in their privacy disclaimer. I've started generating unique email addresses for use in signups that are formed like [domain]@mydomain.com. [ C :"mydomain.com" is just used as an example, here] I just received spam to alxnet@mydomain.com, and here's the kicker: what I received was not even from ALXNet! It was filled with forged headers regarding an online trading newsletter, and this address has never been used anywhere else other than their signup. How can I hold them accountable? All I've done so far is asked Yahoo to close the account they are using." What, if anything, can be done about companies that pay lip service to their privacy agreements? For those SPAM busters out there, an example of the SPAM's headers is included, below. SPAM with full headers:

Return-Path: directaccessus@yahoo.com

Received: from yourwebsite.com (66-108-136-65.nyc.rr.com [66.108.136.65])
by linux.thoughtprocess.net (8.11.0/8.11.2/SuSE Linux 8.11.1-0.5) with SMTP id fB7M8Dv07978
for alxnet@mydomain.com; Fri, 7 Dec 2001 16:08:13 -0600
Message-Id: 200112072208.fB7M8Dv07978@linux.thoughtprocess.net
X-Authentication-Warning: linux.thoughtprocess.net: Host 66-108-136-65.nyc.rr.com [66.108.136.65] claimed to be yourwebsite.com
Reply-To: directaccessus@yahoo.com
From: directaccessus@yahoo.com
To: alxnet@mydomain.com
Subject: Trading Newsletter
Sender: directaccessus@yahoo.com
Mime-Version: 1.0
Content-Type: text/plain; charset="iso-8859-1"
Date: Fri, 7 Dec 2001 17:12:38 -0500
X-UIDL: 6cadc61cbcf01cac2a66f167c5416863

Use the power of the free market

[an_mo]

I am afraid most of those privacy statement in the U.S. are unilateral, and can be revoked by anytime by the company that offers them to the customers. Read the fine print: I bet you'll find they stated that they could change their privacy policy anytime; you can argue they did it without notice but if they posted it on some page on their web site they can argue they gave it enough publicity (sure you don't want an email from them anytime they change two words of legalese contracts :-) )

Then your only weapon is to let them know you're pissed and to change company. A little sad, but hopefully if enough people care about this then you'll find a company willing to maintain its reputation.

The situation in some other countries is a little different; in some european countries you have to sign in advance a statement that says you are aware of the privacy policies. Most of the times you have to sign a statement saying you are aware you have no privacy. In the end the outcome is no better and sometimes worse than the american market solution to privacy.

Re:Use the power of the free market

[gnovos]

I'm afraid that the above poster may be right, but here is one possibility: You *generated* that id, right? So maybe that means you hold the copyright on that... So they may have violated copyright laws. It may not hold up in court, but who knows, a sympathetic judge may decide that slapping down the spammers who write fake privacy contracts is just the right thing to do.

Alxnet's employees

[p0ppe]

A picure of Alxnet's employees can be found at http://www2.alxnet.se/img/misc/press/alxnet_employ ees.jpg. It's always nice to *see* who you're dealing with.

post about it on slashdot

[Phork]

i suggest you make a post to slashdot about how the violated there privacy statement, it should generate lots of negative PR for them, and cost them some cash for the extra bandwidth for their server from the slashdotting. If you cant get the story on the main page, try submitting something about it to askSlashdot, it wont be seen by as many people, but will still be seen by a large amount.

what no lameness filter on the story!!

[DrSkwid]

i'm having to scroll left and right to read the comments, sheesh, don't the editors have a preview (not that it helps me !)

Re:what no lameness filter on the story!!

[heliocentric]

Learn to hit the parent links of the main thread postings so you see all the comments and no top garbage. Like this.

I always sign up as

[Beowulf_Boy]

Root@wherever_im_signing_up_at.com and hope that they run a unix.

Upstream ISP

[leastsquares]

I also use unique email addresses for web sign-ups. And, occasionally get spam sent to those addresses.

I forward the spam to all of the upstream servers in the form abuse@upstream.com, root@upstream.com, postmaster@upstream.com.

Nearly always, I get no response, except in one case I received an email stating that the company had been warned that if this happens ever again, their hosting contract will be cancelled. I thing this is enough justification to continue this procedure.

Re:Send the spam to the spammers

[heliocentric]

Choose your fake e-mail id wisely. When one of those places opened up with free emails I got the account "fakeemail@yahoohotmailetc.com" and interestingly enough some decent perl coders out there have started to filter out people who use words like fake and email and I've also noticed some that prevent you from using their own domain name (as suggested in an above post).

So now I can't use that account even for legit email that maybe I wanted to get...

Re:Send the spam to the spammers

[Yottabyte84]

Use doamin names that resolve to 127.0.0.1, like porn.org or warez.slashdot.org

Re:Send the spam to the spammers

[heliocentric]

but my fakeemail@theirdomain is a legitimate email address that I keep since it's funny and your code prevents me from signing up. Does your use of preveting root prevent me from signing up with root@myowndomain?

Alxnet Responds - official commentary

[Alxnet]

Hi!

My name is Alx Grepe and I am the founder and owner of <B>Alxnet AB</B>,
owners of alxnet.com / alxbook.com.

I have come to know of this message thread thru a reader who e-mailed me for
an advice on this matter.

<B>To start off:</B> Alxnet.com does NOT promote spam. We did NOT send the
message out. We collect e-mails to use for login purposes at our services as
well as populating our news letters.

We also offer advertisers to send e-mail advertising to our users on a
<B>100% double opt-in</B> basis where the advertiser does not actually get
the e-mail but rather send it out thru our list broker, PostmasterDirect.com

We do NOT send out mailings to our users on our news letters without their
possibility to remove themselves at any time.

<B>Second:</B> We will investigate how this message was sent out to him, and
as the sender seems to be using RoadRunner services in NYC, I bet it's not
too hard to track him/them down. I've had problems with spammers using
RR.com myself before. Whoever did this has hurt our business name and will
not get a happy new year...

We do not yet know how he managed to harvest this e-mail address, but we'll continue looking at it. All we know is that it did not originate from us.

<B>Third, is Matt attempting FRAUD?</B>:
As I wrote a response to Matt I noticed something about his e-mail address
that made me recall that I did in fact remember the domain it was sent from,
mail.win.org).

I looked up my e-mail box, as I save all outgoing e-mail, I found a letter
sent from him to me that I had sent to Paypal.com:s abuse department.

The mail was sent to me from Matt thru Paypal to the address at which I
signed up for the alxbook.com domain in the whois registry:

alexander.grepe@ABC.SE

I never see mail go to that address with the abc.se in capital except when I
recieve spam harvested from Network Solution. (they seemed to upper-case
domain names in e-mails for some reason)

What's worse, the letter Suject read:

"Bill for Email Processing"

the body read, in short:

Money Request details

Ammount: $50
Event: Bill for e-mail processing
Event Date: December 13, 2001
Note:

Your company has been found in violation of your privacy agreement [...] and in
violation of Missouri Senate Bill 763.

[...]

Thank you for doing business with us, Unpaid accounts will be turned over
to the legal department.

Alx: how rude is that?

<A HREF="http://www.alxnet.com/mkaatman.txt">http: //www.alxnet.com/mkaatman.txt</A>

Is Matt trying to rip us off? This sounds like a kind of invoice scam which is a classic trick. During many years faked
invoices have sent out to companies, who afraid to get listed at authrities as non-payers or ending up with a legal situation
accepts and pays bills to FRAUDsters.

You judge if he did right or wrong, my opinion is clear.

Matt has not contacted me in any way except this, thru PayPal. I have discarded his e-mails as just another clever way to scam people off.

PayPal has been informed of this act as I hope it'll come to his attention how wrong this is.

For any further information on this event, feel free to contact me, Alx Grepe,

by e-mail: alexander.grepe@abc.se
or phone: +46-708627783 ...

I'm playing with open cards on this to let you know we are not violating privacy rules, nor do we tolerate attempts of fraud thru e-mail...

Alxnet answers - we know where he got the spam

[Alxnet]

Hi again readers! It's now been confirmed - We have now found that Matt, depsite what he told the readers, did not only use that e-mail address to sign up to the services. Our services provided are guestbooks for homepages, Matt put on on his. In a message on that guestbook: http://pub.alxnet.com/guestbook?id=2249224 He has posted a message with this address in, and that's where a spam harvest bot found it. So, Alxnet has not given out the address, he did himself. Matt's false allegations has as well put us in a bad spot. Some kind of one-man warrior who in thinking he would do justice has after reading this compromised one of our testings server (let's face it, the machine has been running since '98 w/o harm and it was hacked today, we draw our conclusions).. Fortunatly, this is not a mission critical machine, but on the other hand - it's made things hard for thousands of people to send Christmas Wishes. If you who read this feel hit by this as being the one who did this, call us or e-mail us telling us you're sorry we will accept this in the spirit of christmas. LESSON LEARNT: Do not judge people without learning the whole truth. Ask both sides for their view on the story or it will make you blind... With best regards and Merry Christmas! Alx Grepe CEO & Founder Alxnet.com E-mail: alexander.grepe@abc.se Phone: +46-708627783

My apologies to ALXNET

[Mustang+Matt]

I've been conversing back and forth through email with Alx and his team discovered the root of the problem. The address was indeed posted into a guestbook. Not by myself, but that doesn't matter, I know how it got there.

All I can say is that I gave them two weeks to respond, sent them paypal bills per articles discussed here on slashdot, but in the end, this is my fault and I apologize for that.

Now they've contacted paypal, so I imagine my account will get frozen which is unfortunate due to the amount of money I have sitting there.

If they had only responded to any of my emails earlier this all could have been prevented.
It's unfortunate that only after getting publicity for what appeared to be a major flaw on their end were they willing to respond.

Again my apologies. Have a Merry Christmas.
Matt