Slashdot Mirror

← Back to Stories (view on slashdot.org)

Ask Slashdot: Why Do Firms Leak Personal Details In Plain Text?

Posted by timothy on from the more-exciting-that-way dept.

An anonymous reader writes "Having entered my personal details (full real name, home address) to websites with an 'https://' prefix in order to purchase goods, I am still being sent emails from companies (or their agents) which include, in plain text, those same details I have entered over a secure connection. These are often companies which are very keen to tell you how much they value your privacy and how they will not pass your details on to third parties. What recourse does one have to tell them to desist from such behaviour whilst still doing business with them if their products are otherwise desirable? I email the relevant IT team as a matter of course to tell them it's not appropriate (mostly to no avail), but is there any legislation — in any territory — which addresses this?"

5 of 252 comments (clear)

  1. Re:https has no bearing by Anonymous Coward · · Score: 5, Informative

    Gibberish. It has to do with the company not realizing that email is insecure.

  2. Re:Name and address? by Anonymous Coward · · Score: 5, Informative

    The thing that gets me is that when people give social security numbers, they always give the last four digits. The problem is that those are really the most sensitive for anyone who got one before the year 2011. I met a guy in college who could construct a whole SSN using your place of birth and birth date. The reason is that the first 3 represented geographic location and the middle 2 were given out in a certain order. The last four ticked up for each person assigned and where therefore the hardest to narrow down and guess. The reason is that they were not designed to be used the way we use them, and instead the government should come up with a ground up, randomly assigned number to actually identify people with or require that the ssn not be used that way.

  3. Re:HTTPS means something specific by Anonymous Coward · · Score: 3, Informative

    I think the analogy would be whispering something into the company's ear, then having the company yell loudly back "OK, Bob Smith, you ordered a 5-month supply of boner pills, and is your phone number still 867-5309?!" I think the lack of conceptual security awareness contiguity evinced by the rather ramshackle habits of securing one transmission via HTTPs on the one hand and then not securing a future transmission in any way shape or form on the other hand is what seems to have irked the anonymous reader. Companies often contain multiple freely self directing agentive humans who often do things in ways which can appear on the outside to be dissonant.

  4. Re:https does not mean they are stored encrypted by Anonymous Coward · · Score: 5, Informative

    He's not claiming that the data is stored encrypted. All he is saying that the data he sends encrypted shouldn't be sent back to him unencrypted later.

  5. Re:https does not mean they are stored encrypted by ArsenneLupin · · Score: 4, Informative

    No smpt doesn't support encryption between servers.

    Actually it does. But obviously both servers (sender and receiver) must be configurered to use it (which most aren't, unfortunately). And sender must be configured to check receiver's certificate (which even less are).

    It's not a protocol issue, but a configuration issue.

    And knowing this, it is indeed unwise to include such confidential info in an e-mail.