Can we trust the privacy policies of Web sites? I ran into a situation recently which makes we wonder. Business and technical realities appear to make it difficult for companies to sometimes live up to the standards they set for themselves in their privacy polices. This message provides details on how InfoBeat, a newsletter published by Sony Music, gives out subscriber Email addresses to advertisers in spite of assurances from the InfoBeat privacy policy that this is never done.
I'm a subscriber to InfoBeat and each weekday morning I receive an Email message with headlines and story summaries of the morning news. The service is available at no charge and is supported by banner ads in the Email messages. Because the newsletter is delivered in HTML format, it allows for InfoBeat to include text, graphics, and Web links in a message.
Subscriptions for the newsletter are done at the InfoBeat Web site, http://www.infobeat.com. Besides an Email address where to send the newsletter, InfoBeat asks for gender, age, address, and phone number. Only the Email address, gender, and address are required.
In InfoBeat privacy policy or "Statement of Integrity" as they call it, they promised to never give out a subscriber's Email address:
http://www.infobeat.com/static/cgi/static_merc.cgi?page=integrity.html& We will NEVER release, sell or give a subscriber's name or e-mail address to any other party or organization, without the subscriber's explicit permission.(Note: the capitalization of NEVER is InfoBeat's, not mine).
However the folks at InfoBeat haven't quite live up to their promise to subscribers. The problem is with banner ads that appear in the newsletter. Some ads include a subscriber's Email address in the query string of a link. This means if one clicks on one of these ads, the Web server of the advertiser is sent the subscriber's Email address and the server can do with it what it pleases. This is a clear-cut violation of the InfoBeat "Statement of Integrity".
Here are two examples of the banner ads with the problem:
<a href="http://www.totale.com/gateway?A9AAQA00119991004&
email=rms@pharlap.com&ad=10&click=1">
<a href="http://www.proflowers.com/index.cfm?REF=IBT_emailbrick19991004&
email=rms@pharlap.com&ad=26&click=1">
After I noticed give-away of Email addresses, I contacted the technical support people at InfoBeat. After about a week of back-and-forth was told that there is indeed a problem which was blamed on outdated server software used to mail the InfoBeat newsletter. The problem would be fixed at some unspecified future date. In addition, I was assured that no one is using the Email addresses being sent out. I found this latest statement not to be true as described below.
I also learned from the technical support department that InfoBeat does not do the mailing themselves, but instead farms this out to an Email service company named Exactis (www.exactis.com). This means that InfoBeat has turned over the entire InfoBeat customer list to another company again in conflict with the "Statement of Integrity". Its pretty common for Web sites to outsource their Email lists and I have no problem with this sort of arrangement. However a privacy policy needs to take this into account and not make claims to the contrary.
As turns out, Exactis has its own privacy policy which is hidden away on their Web site. Here is what it says about giving out Email addresses:
"In addition, Exactis.com maintains a strict privacy policy with regards to our clients' information. Exactis.com does not sell, rent or otherwise make available client customer information unless such action is requested by the list owner. All client information including list data, report information and customer reply e-mail is considered strictly confidential and will not be shared unless requested by the client."It appears that Email addresses being included in InfoBeat banner ad links, violates this privacy policy also.
The next thing, I did was to check to see what is happening on the receiving end with these Email addresses. I sent messages off to both Totale and Proflowers.
I never got a response back from Totale in over a week. I found this sort of silence pretty much par for the course when enquiring about privacy policies at other Web sites. Regardless, here is what the privacy policy has to say about the collection of Email addresses:
"We do not collect email addresses of our customers (or any other personal information) except when you knowingly give us that information."Hopefully, clicking on a banner ad does not constitute "knowingly give us that information". I am also left wondering why if they don't collect Email addresses, why are they being sent them in the first place.
The people at Proflowers were more helpful. At first, I was told that the Email addresses aren't used for any purposes what-so-ever. However with a bit more checking, I was told that the incoming Email addresses are used to see if someone is a current customer. In addition, the Email addresses are saved in server logs which are saved for a month.
These uses of Email addresses seems to contradict what the privacy policy at Proflowers has to say:
http://www2.proflowers.com/cfm/privacyPolicy.cfm?REF=&lng= "For each visitor to our Web site, our computers automatically recognize the consumer's domain name and IP address, but not the email address. We collect only the domain name and IP address of visitors to our web page, aggregate information on what pages consumers access or visit and information volunteered by the consumer, such as survey information and/or site registrations."In addition, I was told by the Proflowers people that when a purchase is made by a customer who originally came to the Web site via a InfoBeat banner ad, then InfoBeat is informed of the purchase. It is unclear to me if InfoBeat is giving back information about individual purchases or if all InfoBeat purchases are returned as aggregate data. Regardless this information sharing is not disclosed in the Proflowers Privacy Policy and seems to be in conflict with this sentence from the policy:
UNDER NO CIRCUMSTANCES WILL WE SHARE YOUR INFORMATION WITH OTHER ORGANIZATIONS FOR COMMERCIAL PURPOSES(Again the capitalization is Proflowers, and not mine.)
My take on this situation, is that we are looking at a classic case of miscommunications. The people are responsible for writing privacy policies do not really understand the technical and business processes that are in place. They write policies where everything is black and white such as "we never give out Email addresses" while business like real life are usual different shades of gray. More involvement from the technical people who actually implement the business procedures is clearly called for here.
In the case of the InfoBeat newsletter, I was lucky to able to see what was going because many of the technical details of the Email give-away were right in the HTML code for the newsletters. In other situations however, this is not usually possible.
Since I've informed the various companies of the problems, I am hopeful that they will revise their respective privacy policies to more accurate reflect how they run their businesses. Better yet, maybe InfoBeat can simply stop giving away Email addresses as they promised.