Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Ask Slashdot: Why Do Firms Leak Personal Details In Plain Text?

timothy posted about a year ago | from the more-exciting-that-way dept.

Security 252

An anonymous reader writes "Having entered my personal details (full real name, home address) to websites with an 'https://' prefix in order to purchase goods, I am still being sent emails from companies (or their agents) which include, in plain text, those same details I have entered over a secure connection. These are often companies which are very keen to tell you how much they value your privacy and how they will not pass your details on to third parties. What recourse does one have to tell them to desist from such behaviour whilst still doing business with them if their products are otherwise desirable? I email the relevant IT team as a matter of course to tell them it's not appropriate (mostly to no avail), but is there any legislation — in any territory — which addresses this?"

cancel ×

252 comments

Sorry! There are no comments related to the filter you selected.

depends (5, Interesting)

bloodhawk (813939) | about a year ago | (#43765951)

It really comes down to what their privacy policy says, the country you are in and if they claim they do not share any information with 3rd parties and you were smart enough to use separate email addresses or unique identifying information so you can show the information had to originate with them then in many countries there definitely are legal avenues you can follow. But for the most part you are shit out of luck, find someone else to deal with. I started creating unqiue information that I can easily map to individual sites so I will know who is fucking me over whenever I register somewhere.

Re:depends (4, Interesting)

tysonedwards (969693) | about a year ago | (#43766185)

Why do firms leak personal details in plain text?
In the words of Tweak Tweak: "Uh... It's easy?"

Re:depends (1)

Billly Gates (198444) | about a year ago | (#43766285)

Why do firms leak personal details in plain text?

In the words of Tweak Tweak: "Uh... It's easy?"

Or explained even easier. It is cheap!

Re:depends (5, Insightful)

symbolset (646467) | about a year ago | (#43766497)

Or explained even easier. It's profitable.

Re:depends (4, Interesting)

jellomizer (103300) | about a year ago | (#43766529)

For most Security Leak issues, it comes down to a simpler problem.
Most people have crappy computer skills.
You can have a perfect system, but it takes one guy from sales or marketing to take the data, dump it as an excel of csv file and just email it or drop it in a public space because he just doesn't want to be bothered by dealing with IT

XKCD [xkcd.com] kinda shows this problem. We still don't have a good way to transfer files with people on different network. We have the technology but no clear standard.

https does not mean they are stored encrypted (2, Informative)

Anonymous Coward | about a year ago | (#43765959)

https is designed to prevent others from intercepting the traffic en route - it has basically nothing to do with how the data are stored. Should everything be encrypted? Yeah. Passwords should be salted+hashed+more because the company has no valid reason to know what the plaintext is. I hope that if I am buying something that they have a valid reason to know what the plaintext version of my address is - I don't think the USPS is that good (yet).

Re:https does not mean they are stored encrypted (5, Informative)

Anonymous Coward | about a year ago | (#43766331)

He's not claiming that the data is stored encrypted. All he is saying that the data he sends encrypted shouldn't be sent back to him unencrypted later.

Re:https does not mean they are stored encrypted (0)

BitZtream (692029) | about a year ago | (#43766555)

Perhaps he should stop using shitty email providers that don't support smtp/imap encryption then.

There is no reason his email has to be unencrypted. Mine sure as hell isn't.

Re:https does not mean they are stored encrypted (0)

Anonymous Coward | about a year ago | (#43766581)

But is the communication between mail exchange servers encrypted?

Re:https does not mean they are stored encrypted (0)

Anonymous Coward | about a year ago | (#43766605)

No smpt doesn't support encryption between servers.

Re:https does not mean they are stored encrypted (0)

Anonymous Coward | about a year ago | (#43766665)

yes it does.
http://nl.wikipedia.org/wiki/STARTTLS

and most servers support it, and will allow self signed certificates so that an encrypted (non-authenticated) session can be setup, which is still better than no encryption at all.

Re:https does not mean they are stored encrypted (4, Informative)

ArsenneLupin (766289) | about a year ago | (#43766675)

No smpt doesn't support encryption between servers.

Actually it does [ietf.org] . But obviously both servers (sender and receiver) must be configurered to use it (which most aren't, unfortunately). And sender must be configured to check receiver's certificate (which even less are).

It's not a protocol issue, but a configuration issue.

And knowing this, it is indeed unwise to include such confidential info in an e-mail.

Re:https does not mean they are stored encrypted (2)

symbolset (646467) | about a year ago | (#43766507)

HTTPS means that you have a securely encrypted connection with the remote server. Not that the people who own the remote server are going to keep your privacy sacred.

Re:https does not mean they are stored encrypted (3, Insightful)

ArsenneLupin (766289) | about a year ago | (#43766683)

HTTPS means that you have a securely encrypted connection with the remote server. Not that the people who own the remote server are going to keep your privacy sacred.

But it does mean that nobody on the path can listen in on the connection. Which is defeated if then the same info is sent back over an unencrypted channel.

Are you daft? (0)

Anonymous Coward | about a year ago | (#43765969)

Your payment information is sacred. The other stuff, not so much.

Re:Are you daft? (3, Funny)

Quasimodem (719423) | about a year ago | (#43766587)

Your payment is sacred. All other, not so much. (Fixed)

Re:Are you daft? (1, Funny)

lxs (131946) | about a year ago | (#43766639)

Because every byte is sacred,
Every byte is great!
If a byte gets wasted,
God gets quite irate.

Let the user spill theirs
On the dusty ground
God shall make them pay
For each byte that can't be found.

Every byte is wanted,
Every byte is good.
Every byte is needed,
In your neighborhood.

https has no bearing (3, Insightful)

bcjanes (469676) | about a year ago | (#43765971)

The reason you get emails with your personal information has nothing to do with https (secure) v/s http (insecure), it has to do with the company you did business with sharing/selling your information with their 'business partners' and / or selling it to marketing companies, and the tracking cookies from other websites you've visited.

Re:https has no bearing (5, Informative)

Anonymous Coward | about a year ago | (#43766017)

Gibberish. It has to do with the company not realizing that email is insecure.

Re:https has no bearing (-1)

Anonymous Coward | about a year ago | (#43766203)

fucking morons these days. this has jack shit to do with email.

Re:https has no bearing (-1)

Anonymous Coward | about a year ago | (#43766589)

Omitting capital letters from sentences usually reveals who is the actual moron. :P

Re:https has no bearing (0)

Anonymous Coward | about a year ago | (#43766283)

The poster seems to know this - the issue is that these companies have https and say how much they value your privacy, while not realizing that the emails they send you are unencrypted plaintext, and therefore no better than just showing all of your information via http....whenever a company sends me an account confirmation email that encloses my password in plaintext, I no longer do anything with them as it's clear they do not know how to handle security. I don't care if it's hashed/salted on their db end - if they send a password to me in plaintext via my email EVER, they don't know enough about security.

HTTPS means something specific (1, Informative)

blackraven14250 (902843) | about a year ago | (#43765979)

...that you don't seem to understand. It has nothing to do with the way they use the data. It means only that the communication is being sent encrypted, and is thus not going to be caught by a man in the middle attack. That's it, nothing more.

Re:HTTPS means something specific (2)

lemou (2654725) | about a year ago | (#43766031)

Exactly, and their Term Of Services (if there are any), are probably not as secured as their website's sockets.

Re:HTTPS means something specific (5, Insightful)

Anonymous Coward | about a year ago | (#43766039)

I believe that his point was that the exact information that was sent encrypted is now being sent in plain-text over email. So, what's the point of using HTTPS to send private information if it's leaked right back through plain-text on port 25, and what can be done to tell companies to stop forwarding all those details through emails. Maybe they could email a link telling the user where to log-in to see his invoice instead of forwarding all his private information through email.

Re:HTTPS means something specific (-1)

Anonymous Coward | about a year ago | (#43766087)

Wow, you're the first one to comprehend what they read. And the first who wanted to do that more than he wanted to nitpick the summary to death to prove how clever he is.

Somebody give this guy a +10.

Re:HTTPS means something specific (1)

Anonymous Coward | about a year ago | (#43766227)

Judging by the comments it seems that /. has changed. I guess the new crowd doesn't mind the invasion of privacy.

Re:HTTPS means something specific (0)

Anonymous Coward | about a year ago | (#43766245)

googlebot's gone rampant and is spamming slashdot as part of its 20-year subversive campaign to eliminate privacy laws and usher in a futurisitc dystopian feudal age.

That, or slashdot has dimmed a bit.

PS - It's saturday night, I'm bored... seen any good futuristic dystopian sci-fi flicks lately? All of a sudden I'm in the mood for one.

Re:HTTPS means something specific (1)

Zontar The Mindless (9002) | about a year ago | (#43766275)

We'll always have Blade Runner.

Re:HTTPS means something specific (4, Insightful)

Etherwalk (681268) | about a year ago | (#43766129)

So, what's the point of using HTTPS to send private information if it's leaked right back through plain-text on port 25

A locked front door and an open back door is better than two open doors. Although yes, they should lock the back door. What we really need is industry-standard secure-ish email.

Re:HTTPS means something specific (0)

Anonymous Coward | about a year ago | (#43766611)

that cant happen, at least not at the protocol level... but they can do an email like this:

dear (your name here):

your billing statement for june 2013 is ready. you may login to our web site at https://companysite.com/ [companysite.com] (where company site is a direct link to the known company domain, not some bounced tracker through a third-party mailer outfit) to view, print and make a payment to your account.

there is absolutely no need for *email* to contain anything more than a name or other single unique identifier.. (like a slashdot userid or username... or how ebay starts their emails off.. something a random spammer or scammer probably doesn't know).. everything else can be done through a secure website login.....

or companies could go with encrypted pdf, with a password/pin established by the customer on the company web site... but afaik, pdf's can be hacked pretty easily...

other than that.. nothing else will be easier enough for the masses to do, and would generate far too many support calls and emails.

Re:HTTPS means something specific (1)

ArsenneLupin (766289) | about a year ago | (#43766697)

not some bounced tracker through a third-party mailer outfit

Good luck with that! If even the pirate party can't get this right, how will business ever get it?

Re:HTTPS means something specific (1)

FireFury03 (653718) | about a year ago | (#43766679)

That's what S/MIME is for... unfortunately no one uses it.

Re:HTTPS means something specific (1)

war4peace (1628283) | about a year ago | (#43766359)

Since when are real name and address called "private information"?
Aren't they public info?

Re:HTTPS means something specific (1)

Anonymous Coward | about a year ago | (#43766437)

The sensitive information is about the association of your identity to the service. Maybe you don't want this be known to others (e.g porn site or downloading of blue prints for 3d printable weapons)

Re:HTTPS means something specific (0)

Anonymous Coward | about a year ago | (#43766491)

Since when are real name and address called "private information"?
Aren't they public info?

Since this is slashdot, it should be obvious... the OP ordered his "Love Doll" wife online, and months after his 200-lb crate showed up he was getting catalogs from "partner" companies for women's clothing, other sex toys, etc.

:-)

Name and address might be easily available information, but when it gets tied to your "preferences" based on *what you bought* (which often can be 'inferred' by the company giving out the information, even if not an exact list of what was purchased) it *does* border quite a bit on an invasion of your privacy.

Re:HTTPS means something specific (1)

Endophage (1685212) | about a year ago | (#43766391)

Except that just about every email server these days will also encrypt its connections (and if it doesn't you should switch provider) so your details aren't being leaked in plaintext on port 25...

Re:HTTPS means something specific (1)

grahammm (9083) | about a year ago | (#43766609)

But it not his email provider which is not encrypting the connections, but the supplier's email provider over whom he no control.

Re:HTTPS means something specific (1)

synaptik (125) | about a year ago | (#43766071)

I think what the OP meant was: because the original transmission was over https, he feels confident in discounting the possibility of an eavesdropper, as opposed to the company just being lax and/or promiscuous with his information.

Re:HTTPS means something specific (3, Informative)

Anonymous Coward | about a year ago | (#43766089)

I think the analogy would be whispering something into the company's ear, then having the company yell loudly back "OK, Bob Smith, you ordered a 5-month supply of boner pills, and is your phone number still 867-5309?!" I think the lack of conceptual security awareness contiguity evinced by the rather ramshackle habits of securing one transmission via HTTPs on the one hand and then not securing a future transmission in any way shape or form on the other hand is what seems to have irked the anonymous reader. Companies often contain multiple freely self directing agentive humans who often do things in ways which can appear on the outside to be dissonant.

Re:HTTPS means something specific (2)

tftp (111690) | about a year ago | (#43766267)

the rather ramshackle habits of securing one transmission via HTTPs on the one hand and then not securing a future transmission in any way shape or form on the other hand

How would one secure an email? Existing S/MIME and PGP are not commonly used.

A company cannot abandon email because it's the only notification method that is guaranteed to be delivered to the purchaser of goods. If you just show a confirmation number on the screen in big bold red letters and ask to write it down, 99% of customers will not notice that. Some may not even see it because they walked away or closed the browser as soon as the transaction went through.

So the problem here is far deeper, it's not just lazy programmers. Perhaps it won't be solved until every one of us has a personal FIPS 140-2 USB or smart card processor on a keyring.

Re:HTTPS means something specific (1)

El Capitaine (973850) | about a year ago | (#43766301)

Or just not enclosing personal information in an email? Examples: Never send anyone their current password via email (even if it's at account creation and it's salted/hashed in the DB). Other secure information such as credit cards, ssns, etc......why send them via email? Just say 'Hello , there is issue with your account. Please login to to correct it.' Or lets say we consider receipt of medication purchases private.....have the confirmation email just show the price and delivery address and block out the names of the medication with XXX, saying 'the information has been hidden for your privacy' - in fact if more sites do this, the general public might finally realize that email is inherently insecure.

Re:HTTPS means something specific (2)

tftp (111690) | about a year ago | (#43766387)

Most people would find it inconvenient when an important electronic receipt comes with all important fields blacked out. When I buy for a company online I forward these receipts to the accounting. What would I do if the email doesn't say what I bought, how much I paid, what c/c I used, and so on?

I understand that it is perfectly possible to have a purely HTTPS online store, without using email at all. You could print your receipts securely on your local printer (or into PDF) and submit those. However hardly any store on the Internet operates this way. And even if we make that additional step and revolutionize e-commerce, still we would have a partially broken system that has a huge disconnect between the arbitrary identity of the user and the verified identity of the credit card (thus allowing anyone to buy with a stolen c/c.)

In practical terms, email is not easily interceptable. En route it is usually encrypted with TLS. That is easy because SMTP servers do not insist on authentication of peers. So only the two endpoints, those that hold private keys, have access to the content.

One could say that the SMTP server itself is vulnerable. Well, it is, unless you run your own. I do. It's trouble-free. On top of that, nothing prevents the server from encrypting stored emails so that it's hard for an operator (or an intruder) to gain access. For example, generate keypairs for each account, and make sure that the SMTP/database box has only the public half. To read mail (and decrypt) you have to log in with your password, which just happens to decrypt the private key - and that can happen on a completely different (IMAP) box, and only in RAM, and only while you are using the server.

So for all practical purposes it is easier - and probably safer - to keep the current practice. Most retailers black out the c/c number anyway; the last four remain, but how many cases are known of actually recovering the full number this way? (Just send a Google Glass wearer to the checkout line at any store and capture as many cards as you care to.) The rest is not very likely to get stolen. As I understand, most thefts of login data occur directly from databases because they are either not encrypted, or encrypted with a symmetric algorithm, and the key just sits right there (it has to, otherwise you cannot encrypt.)

But if people want change, it should begin at the basics - with secure and sufficiently trustworthy authentication and encryption; this means that everyone gets issued at least one keypair inside of a dongle. Once you have that, everything else becomes trivial. As I understand, DoD has implemented exactly such a system with a common access card [wikipedia.org] .

Re:HTTPS means something specific (1)

HJED (1304957) | about a year ago | (#43766619)

Um, SMPT dose not use encryption between mail servers, it is older then TLS and whilst there are secure extensions to the protocol for client/server interactions there is no TLS protocol for server to server interactions.
It is possible to encrypt emails with private/public key combinations, but I have never seen an ecomerce site do this.

Re:HTTPS means something specific (0)

Anonymous Coward | about a year ago | (#43766095)

...that you don't seem to understand. It has nothing to do with the way they use the data. It means only that the communication is being sent encrypted, and is thus not going to be caught by a man in the middle attack. That's it, nothing more.

People like you are why so many casual messages have become legalistic, full of disclaimers for things that were never claimed.

But not what you just said (1)

dutchwhizzman (817898) | about a year ago | (#43766369)

Whether or not the information is encrypted is not important in this case. It may be to you, but it's not to the party you are dealing with. The big deal is that you can be reasonably assured that you are in fact dealing with that party and not someone imposing as them, or someone intercepting the communications between you and them. HTTPS will always sign each data transmission, making it virtually impossible to alter the data under way or to have someone else impose you.

HTTPS is seldom about privacy, especially with all the monitoring, tracking and statistics going on. Try visiting the web without google or facebook getting cookies and tracking data on you, regardless of you visiting a site that uses HTTPS or HTTP. You can, but you'll have to go through great length to do so.

The data being sent back to you, goes to an e-mail provider you trust. If you don't trust them, you wouldn't be using them. The information you gave to the website is something that isn't that sensitive that you wouldn't want "strangers" to have. If it was, you wouldn't be handing it over to some web site. Yes, your address is in there. Very annoying that over a thousand companies and government departments (on average) have you on file. However, it's trivial to find out where people live, usually, so it's not a very big secret. The most annoying thing to me is the spam they keep mailing you even though you clearly indicated you were not interested in that. Sure, it could be handled a bit more secure than this, but in the end, you are responsible for the amount of personal data you are putting online and you know in advance that once you put it there, certain things are probably going to happen with it. If you only want to deal with companies that will default to sending you GPG encrypted e-mail, you'll not be shopping online a lot for the foreseeable future.

Re:HTTPS means something specific (1)

ArsenneLupin (766289) | about a year ago | (#43766689)

is thus not going to be caught by a man in the middle attack.

... which is nicely defeated if the man-in-the-middle can just grab it on the way back. So yes, the complaint is relevant.

Name and address? (4, Insightful)

scottbomb (1290580) | about a year ago | (#43765991)

People are waaaaay too paranoid these days. There is nothing sacred about your name and address. No one can steal your identity with it. If the email had your SSN or DOB in it, that would be different. But your name and address? If you have a landline phone, it's probably in a phone book and on numerous telephone directory websites and has been for years. Public court records have your name and address too. Nobody cares.

Re:Name and address? (5, Informative)

Anonymous Coward | about a year ago | (#43766079)

The thing that gets me is that when people give social security numbers, they always give the last four digits. The problem is that those are really the most sensitive for anyone who got one before the year 2011. I met a guy in college who could construct a whole SSN using your place of birth and birth date. The reason is that the first 3 represented geographic location and the middle 2 were given out in a certain order. The last four ticked up for each person assigned and where therefore the hardest to narrow down and guess. The reason is that they were not designed to be used the way we use them, and instead the government should come up with a ground up, randomly assigned number to actually identify people with or require that the ssn not be used that way.

Re:Name and address? (5, Insightful)

Anonymous Coward | about a year ago | (#43766125)

The reason is that they were not designed to be used the way we use them, and instead the government should come up with a ground up, randomly assigned number to actually identify people with or require that the ssn not be used that way.

Or we could just go with digital signatures aka RSA. It is 2013. Why the fuck are we still relying on a system that, each time you identify yourself to someone via SSN, you give them the non-revocable ability to impersonate you forever? It is earth-shatteringly stupid.

Re:Name and address? (5, Interesting)

Bing Tsher E (943915) | about a year ago | (#43766347)

The Government could fix the whole SSN issue by doing something direct and simple.

Publish all SSN's in a big directory.

They were never intended to be 'secret numbers' that would be used to validate anybody's identity. They were registration numbers for the Social Security System.

Publishing them ALL would force businesses and organizations to come up with real 'secure identifiers.'

Re:Name and address? (0)

Anonymous Coward | about a year ago | (#43766217)

"Randomly assigned number"

It's the mark of the beast!

Re:Name and address? (4, Funny)

Anonymous Coward | about a year ago | (#43766091)

Well since it's no big deal, what is your name and address?

Re:Name and address? (5, Interesting)

Zontar The Mindless (9002) | about a year ago | (#43766153)

I am sure that the incredible fucktards at Air China who sent recently sent me a flight confirmation would like to know that.

It contained my full legal name, home address, and phone numbers. This does not bother me so much, as this is Sweden where most information of this sort is considered public knowledge. Want to know how much my flat is worth and what I paid for it? Did I pay taxes last year, and if so, how much? Feel free to hop on over to Skatteverket and file an info request.

The email also contained this:

Identifying document: US Passport
Identifying document number: #XXXXXX
Identifying document valid until: xxxx2020

Until 3 days ago, as I have not yet actually used this passport for travel, the only people on Earth who knew this number were me, the US Dept of State, and the Swedish Migration Bureau. Now who the fuck knows. Who THE FUCK knows.

And my girlfriend cannot understand why I threw a fit over this, or why I am talking about legal options.

Re:Name and address? (0)

Zontar The Mindless (9002) | about a year ago | (#43766177)

Just in case it's not obvious from my little rant, the numbers in question were NOT obscured in the email.

Although the first 12 digits of my credit card number were...

*facepalm*

Re:Name and address? (0)

Anonymous Coward | about a year ago | (#43766311)

For most places in the US. Google XXXX county assessor. Click online property records or something. Click Search by last name. Enter last name. Click result. See full name, address, value, date/amount of purchase, # bedrooms/bathrooms, etc. Some places you may only be able to search based on address.

Re:Name and address? (2)

Zontar The Mindless (9002) | about a year ago | (#43766353)

If you reside in Sweden, you must by law register with the Folkbokföring (civil registry) and you must update your record with them when you move (got in a spot of trouble over this when I bought a place here and moved into it because I didn't then know about the registry or the law), so finding someone's address is dead simple. Your personnummer ("personal number"), which contains your DOB, is also a matter of public record.

Re:Name and address? (1)

phantomfive (622387) | about a year ago | (#43766335)

Is the passport number actually useful for anything? I can understand the desire to not send it in plaintext, and I would have been upset if that happened to me too, but I'm having trouble thinking of what an attacker could do with that number.....

Re:Name and address? (2)

Zontar The Mindless (9002) | about a year ago | (#43766415)

Use my passport number plus my full legal name and DOB to forge a passport that might easily pass for the real McCoy in some places.

Airports all have RFID/barcode scanners now, but there are many other ways into and out of countries. E.g., when I visited Cambodia a couple of years ago, the Khmer border guards at both Poipet checkpoints just looked at the photo, wrote down my name/nationality/passport number in their list, and waved me through. (No, I did not merely visit the gambling "free zone", I actually went into Cambodia.) Same thing happened when I crossed back into Thailand later that day.

There were no readers or scanners of any sort in evidence going in either direction. My girlfriend probably could have slapped her photo over mine and used my passport there.

Re:Name and address? (2)

houghi (78078) | about a year ago | (#43766637)

I, like probably most here on /., have my own domain. Whenever I need to enter details for something I order, I use a new email alias for each site. e.g. for this site it would be slashdot.org@example.com That way I will know who the fucks were that sold my address, because in many cases it will be sold and not leaked.

And them , if I know, I could decide what action to take. e.g. in your case none if it were the Americans or a lot, if it were the Swedes.

It does not prevent anything. It just makes identifying the guilty easier.

OTOH in the last 10 years that I do this, I have not once seen spam coming into one of those addresses, unless it was from the website itself.

Re:Name and address? (0)

Anonymous Coward | about a year ago | (#43766351)

People are waaaaay too paranoid these days. There is nothing sacred about your name and address. No one can steal your identity with it. If the email had your SSN or DOB in it, that would be different. But your name and address? If you have a landline phone, it's probably in a phone book and on numerous telephone directory websites and has been for years. Public court records have your name and address too. Nobody cares.

Scott, would you mind posting your name and address here as a demonstration of your conviction that nobody cares? I promise you that I won't do anything bad with it, such as sign you up for Fingerhut catalogs, NRA mailings, or NAMBLA membership.

Re:Name and address? (1)

war4peace (1628283) | about a year ago | (#43766371)

I fully agree; when I see someone saying "my name/address is private information" I feel like cracking a big smile. Or pitying them. Whichever comes first.

FUCKING PUSSY (-1)

Anonymous Coward | about a year ago | (#43765997)

" I email the relevant IT team as a matter of course to tell them it's not appropriate (mostly to no avail), but is there any legislation — in any territory — which addresses this? "

Golly gee whiz, maybe you should stop being such a pussy about it, call customer service and tell her that you hope she dies of cancer. Call their Filipino tech support and call the men "Magandas" and "Sea Trash." You aren't going to get what you want by being a pussy and asking nicely. You make it up to their managers, and cite fake statues which give you grounds to sue. Make fun of their accents and ask them what its like to shit in buckets. Just like its free for them to harass your inbox, its free for you to call their toll-free customer service and ensure that those stinky filthies don't have a good sleep for the next couple weeks.

-- Ethanol-fueled

Re:FUCKING PUSSY (0)

Anonymous Coward | about a year ago | (#43766325)

I forgot to add that my life's ambition is to blow Kim-Jong Un on live TV.

-- Ethanol-fueled

Bleah. (1)

Airdorn (1094879) | about a year ago | (#43766009)

You and your stupid personal details.

Since when... (0)

Anonymous Coward | about a year ago | (#43766011)

Since when is your name & address personal & privileged information that needs to be secured?

You're aware these things are a matter of public record, right?

Re:Since when... (1, Insightful)

Anonymous Coward | about a year ago | (#43766345)

Says "Anonymous Coward". :P

Because! (-1, Offtopic)

flyneye (84093) | about a year ago | (#43766015)

Not many could be bothered to learn morse code. Ba boom ching!
Hey, speakin of leaks;
How do you know when you're staying in a Arkansas hotel?
      When you call the front desk and say, "I gotta leak in my sink,"
      and the clerk replies, "Go ahead."

What's SSL got to do with it? (1)

Horshu (2754893) | about a year ago | (#43766025)

So you sent your info to someone encrypted. They sent it back to you unencrypted. SSL *does* assume you trust the recipient.

The reason is simple... (1)

bogaboga (793279) | about a year ago | (#43766027)

...You're dealing with human beings, and human beings make mistakes.

That's why.

Re:The reason is simple... (2)

SeaFox (739806) | about a year ago | (#43766085)

...You're dealing with human beings, and human beings make mistakes.

That's why.

Let's not assign to incompetence that which may simply be apathy.
For personally identifiable information that is non-sensitive, is there any reason they should care about taking measures to secure it (especially when it's not their own)?

The data wasn't leaked, it was shared (0)

Anonymous Coward | about a year ago | (#43766043)

If the data was shared with a partner is wasn't leaked.

Before you commenced your purchase did you read their privacy policy? Most likely the privacy policy stated that they share some of your information, (name, address, e-mail) with partners. Nicer companies let you opt out during the purchase process, but it's not required.

Keep in mind that your name and address are a matter of public record.

https:// allows the transfer of your credit card information so that it can't be stolen during the transmission from your computer to their computer.

Because it's not important? (5, Insightful)

Okian Warrior (537106) | about a year ago | (#43766057)

Why should they care?

There's no benefit to them keeping your information safe, it costs them time, money, and effort to do so, and there's no real consequences when they screw up. They will just put out a statement saying "all of our customer information was stolen, we recommend everyone change their password, and the hole is now patched - it can't happen again!".

Also, they can blame the thieves. "It wasn't our fault, it was that scoundrel who noticed that you can change the account number in the URL to get into someone else's account."

As to "we value your privacy", what does that actually mean? It means that companies have discovered that people trust companies that make that statement, and are more likely to purchase from such a company.

That's all it means, and no more. It doesn't mean that they care or that they abide by the statement, it means that they think they can get more business by using that phrase liberally in their public-facing documents.

You're living under the naive assumption that companies mean what they say and will do what they promise. They do what the consumer protection laws force them to do - any statement that reflects these laws is probably true, while the rest is simple puffing [thefreedictionary.com] .

Re:Because it's not important? (1)

King_TJ (85913) | about a year ago | (#43766271)

Sure... but even if they really DO care, who's to say they just weren't successful at keeping your info safe anyway?

I've been saying for years now that "computer security" is largely a sham. Time and time again we find out that the biggest manufacturers of anti-virus software are companies run by shifty individuals with poor coding abilities, and respected makers of firewall appliances and routers sourced components from countries like China which had back-doors built into them at the processor level. Encryption schemes provided by all the big commercials software makers are suspect too, since U.S. govt. seems to demand they give them "keys" to break in, if needed.

Look at the stream of security flaws being found in Java, and think about how often it gets used in the design of web applications.

How many web sites run on IIS -- another product historically full of security holes?

There's a LOT of money to be made by promising people you can help secure their systems, and as long as nobody really TRIES to get past whatever you put in place, you can brag about its "100% effectiveness". Anyone trying to do e-commerce business online has a primary goal of generating a profit selling the goods or services they're concentrating on providing. So right off the bat, these people are simply NOT going to have the time to invest a whole lot into securing customer data. They're going to go with the existing "pre fab" tools and products that are advertised as secure and recommended by others. When it turns out one of those isn't so great after all -- oops, there goes your private data again!

I think you really DO have to place the lion's share of the blame with the thieves - which include both the hackers who took the data, AND the "computer security" folks who made a small fortune selling half-baked products and services to people trying to achieve security.

Re:Because it's not important? (1)

El Capitaine (973850) | about a year ago | (#43766317)

The great thing about those pre-fab solutions is that when someone DOES steal consumer data, you have a scapegoat too!

Well also how are you supposed to store things? (1)

Sycraft-fu (314770) | about a year ago | (#43766343)

See if the point of someone having your information is to, well, be able to access your information then it needs to be stored in that format. A password can be hashed, but something like name and address needs to be stored in text. Encrypting it is the kind of thing that does a limited amount of good. They may well encrypt it on disk, but the software that accesses it still needs to be able to decrypt it, wouldn't be of much use if it couldn't. So if someone busts in through a problem in the software, they can get your data.

It is easy to get mad and say companies should "do something" but ask yourself what that something is, I mean really analyze the problem, and then try and come up with a solution that works. It is harder.

We deal with that kind of thing at work. Securing data isn't just a magic switch you can flick. Like our new storage array has self-encrypting drives. Great, we can, with no performance loss, encrypt everything on it... However that only really helps against it getting stolen, or if we forgot to wipe the disks when we decommission it. Being that all data is encrypted, the unit has the password (it is a power-on kind of thing) so if you bust in over the network, well then you can get at the data unencrypted.

For more sensitive stuff you can take it a step further, use Sophos (ya that is what they bought, no not my choice) full disk or file container encryption. That means that if a system with it is lost, nobody can get the data. However, when that system is online and the FS mounted, again a break in can get at the data.

The only way to stop network breakins from being a possible compromise is to take the systems entirely off the Internet. Not only is that unfeasible in normal cases, but it is impossible if you are talking the system that is to handle talking to the users online.

I can't come up with a way that you can have a system where the data is secure, even if the system gets compromised. Of course you try and stop systems from getting compromised, but the idea that data should be stored somehow that even if a system gets broken in to you can't get at it is rather silly.

Cut down the number of online companies (0)

Anonymous Coward | about a year ago | (#43766073)

...you do business with, in the sense of providing personal details such as real name, address, and phone number.

Yeah, it's hard. For example if you want to buy tickets, then you probably will have to deal with Ticketmaster. But at least I can say that I am NEVER tempted by a one-time deal like "sign up and we'll give you 50 percent off your first order, and send you a free gizmo." Or "sign up and join the online community of citizens and professionals interested in saving mankind by exchanging views on technology X." I guess I'm a little paranoid.... maybe that's why I post here as AC.

The usual ID 10 T error (1, Insightful)

dbIII (701233) | about a year ago | (#43766133)

It's just like some fool sending you an encrypted archive with the password in the same email. It looks cool and they don't know how much of a useless waste of time it is. The actual gatekeepers only get the superficial cargo cult appearance of security from the people that should be the gatekeepers, but that's seen as OK since you'd need to employ somebody to do it all properly. Putting on a show is cheaper.

Re:The usual ID 10 T error (1)

Anonymous Coward | about a year ago | (#43766273)

It's just like some fool sending you an encrypted archive with the password in the same email. It looks cool and they don't know how much of a useless waste of time it is. The actual gatekeepers only get the superficial cargo cult appearance of security from the people that should be the gatekeepers, but that's seen as OK since you'd need to employ somebody to do it all properly. Putting on a show is cheaper.

There's nothing too crazy about that if the email system is trusted more than the entire lifetime of the file on theirs & your computer, like a mobile work computer, or if the sensitive lifetime of the information is very long (SSN, bank account numbers can last a lifetime). Weight the importance of protecting it in transit vs. where it is likely to sit afterwards and for how long.

Lets say HR sent everyone a copy of their pay & benefits with home address, there's some level of protection there from computers being swapped out to other users, going to the service desk for maintenance, getting stolen, etc. I'm assuming the archive utility sensibly deletes temp files that were extracted after you close it...

Security is not black & white, there's lots of good enough reasons for not taking the time to IM or call you with the archive password, like if you had to send out hundreds of them. It is good enough protection for some things.

Key + lock together means why bother to lock? (1)

dbIII (701233) | about a year ago | (#43766543)

It looks like you missed the entire point - if you include the password in the same email as the encrypted file then there was no reason at all to encrypt it in the first place other than a waste of time and a cargo cult illusion of security. Sending the attachment in plain text makes more sense in the situation since all the encryption does is waste time. Less of an idiot would contact you, give you the password, then send the attachment WITHOUT the password - just like how the banks don't send you the ATM card and the initial personal identification number in the same envelope but keep them apart.

Security is not black & white

It is in some cases where a failure is just a counterproductive waste of time like the one mentioned above and others that even make it to the news on occasion.

It is good enough protection for some things

No - it is completely unprotected if you have the locked thing in the same place as the key - you may as well just leave it unlocked. The danger in the case is that the sender assumed that only the intended person could get the information and they assumed that encrypting the file would magically do that even if the key was included.

I hope that was enough and didn't come off as condescending. I did not expect to have to explain it on such a site and especially didn't expect someone that had missed the point attempting to give me a flawed lecture on security trying to find a non-existent excuse for an epic failure and finishing with some very bad advice.

Its not for your name and address. (1)

Anonymous Coward | about a year ago | (#43766139)

The companies that use https are using it for many reasons, such as to protect your credit card information to remain compliant with their card processors and by extension the credit card companies policies, as well as probably a few laws. Non-sensitive information is not protected information, so they can use that in any way allowed by their TOS that you agreed to.

Legislation is not the answer (-1)

Anonymous Coward | about a year ago | (#43766143)

You obviously care enough about this practice to come onto Slashdot and whine about it, but not enough to stop doing business with companies that leak personal information because you find their products "are otherwise desirable"

Grow a pair and vote with your wallet, don't expect the government to do everything for you by legislating.

Re:Legislation is not the answer (1)

darkain (749283) | about a year ago | (#43766163)

The problem is, how do you know which companies do this, until AFTER the fact? The OP stated it came in an email, which is after the fact.

Passwords (1)

darkain (749283) | about a year ago | (#43766159)

Last year, I switched ISPs... My new ISP emailed me my password in plain text as a "confirmation" after signing up for my account. Needless to say, I was horribly pissed off about it.

I totally agree!! (-1, Troll)

EvilSS (557649) | about a year ago | (#43766169)

I opened up my door the other day and there was a huge document, just sitting there, with my name, address and phone number inside of it in PLAIN TEXT. Something called a "phone book"!? WTF!? And it's all over the OUTSIDE of all the mail in my mailbox! These companies should be sued!

Re:I totally agree!! (1)

Bing Tsher E (943915) | about a year ago | (#43766383)

The point is, when anybody adds 'on the Internet' to a statement, it becomes hugely more critical.

"Somebody knows my mailing address."

Now, that is pretty bland. Anybody who drives by your house probably can figure that out quickly.

But change that to "Somebody on the Internet knows my mailing address" and it's time to pee down your pants leg.

It's similar in so many ways to the magic of patenting something by tacking 'on the Internet' on the end.

I've been 'online' for decades, going back to the BBS era. I was active on a local social BBS back in the late 80's. We got together on Sundays to play softball.

Everybody was so fricking scared to present themselves to the other people they were playing softball with using anything but their 'handles.'

There's something weird that happens when you allow people pretend to themselves that they have anonymity. No other explanation makes sense.

Don't worry about it (4, Insightful)

iceco2 (703132) | about a year ago | (#43766171)

The question is, who are you worried will find this super secret sensitive information (Your name, address and fact you use the site)?
The government? They don't need to intercept the e-mail they have easier ways of knowing it?
Some criminal targeting you specifically who manged to intercept this e-mail? He already knows who you are all he learned is you use this site,
simply seeing the IP is enough?
Some random script kiddie on the internet? intercepting e-mails is not that easy, yes they are in plain text but they are not broadcast over the internet for everyone to see
you have to position yourself along the route it travels (and this route normally doesn't change much) and attack somewhere along it, not impossible but hardly effortless. and why would he?
Which only leaves corporate espionage targeted against the site you are visiting, which though more likely then any other vector still seems a bit far fetched, and in the end all they learn is your name&address.
There are plenty of serious threats out there on the internet, this doesn't seem like one of them.
focus your worrying else where.

Good luck querying on encrypted data (1)

Crimsane (815761) | about a year ago | (#43766191)

When you want to do a search for a customer by email, you can't do that if its encrypted. We keep passwords in databases hashed, not encrypted, its not the same thing. If you want to be able to do customer support, it needs to be in a database unencrypted.

hashed huh? howabout salted? (0)

Anonymous Coward | about a year ago | (#43766405)

you ain't even seasoning right my nukka and you think your taste sublime

It's forbidden in places with sane privacy laws (2)

Etylowy (1283284) | about a year ago | (#43766229)

is there any legislation — in any territory — which addresses this?

It's forbidden in Poland. Similar rules apply in many european countries

encrypted email is not standard (1)

Khashishi (775369) | about a year ago | (#43766231)

If they offer the option of encrypting the email, it's not going to work for 99.9% of people anyways.

Re:encrypted email is not standard (1)

FireFury03 (653718) | about a year ago | (#43766699)

Yes, it is standard. Go look up S/MIME.

YOU MUST BE A REDNECK !! (0)

Anonymous Coward | about a year ago | (#43766251)

If you have to ask about which territories...

you must be a redneck !!

Charge them money... (1)

Anonymous Coward | about a year ago | (#43766305)

Charge them money. After all, it is your unfo they are making money from.

Of course, they will NOT pay. So you start a class action lawsuit against them and every other company
doing this. You may win, you may lose.

But if you win you will stop one hell of a lot of companies from doing this as it costs them nothing now
but may cost them heaps in the future

What's sensitive? (2)

Todd Knarr (15451) | about a year ago | (#43766323)

Your name, address and phone number are published in the phone book. What's sensitive here?

On a Web site, it's done over an encrypted connection not to protect the information but to prevent a third party from sitting in the middle collecting payment information. The combination of personal information with payment information (credit card number and expiration date), that would be sensitive. On their own either set of information should be non-sensitive, but combined it's sufficient to pass the authentication checks merchants and credit-card companies do. But just personal information without any associated payment information, what's anyone going to do with that that they couldn't do by looking through your local phone directory?

Speaking as someone who has worked on Retail sites (4, Insightful)

Anaerin (905998) | about a year ago | (#43766365)

Generally speaking, retail sites (Ones who have the really important information, like credit card numbers and the like) also only store hashed passwords. So asking for a password will get you a temporary link e-mailed (usually requiring further security questions) to set a new password. Other personal information, your name and e-mail address, are not considered worth securing, as you automatically send them out with every message you send, and all your mail is invariably addressed to you with your full name by your other contacts.

Postal addresses are generally something of a grey area. On the whole, they're not particularly secured (Anyone who was determined to find out could find your address from the phone book, electoral roll, or other public list). Credit card numbers are typically secured by removing/obscuring all but the last 4 digits, and items ordered are again typically treated as "Better to include with a receipt, as a double-check, than to exclude".

There is, as always, a fine balance in the "Privacy is required" to "more information is better" debate, but leaving that aside, while SMTP is a plain-text transfer medium, it generally requires quite a lot of work to actually get someone's details. For instance, you have to:

  • Poison a DNS record for a particular host (To point mail traffic at your server), or somehow spoof an IP address/routing record on the open internet

    Note, this will have to be done for the SMTP server(s) of the particular provider's message you want to intercept

  • Intercept the particular mail message you want (There's going to be a lot of mail coming through, most of it inconsequential)
  • Forward all the mail you've received on to the correct host (Which will be tough if you've grabbed their IP address(es)).

    If you don't do this, the provider will quickly notice they're not getting mail anymore and try to find out why, which'll get you discovered quickly

  • Find some way to actually use the mostly useless information you have gleaned.

    So Mr. John Smith lives at 1234 Anyroad, Someville, KY, and bought a can of compressed air and a USB mouse... So what? Start flooding him with ads for compressed air products? Offer him hot USB on PS2 action from waiting serial mice in his area? That'll get you some sales... NOT. Oh, and you can buy that kind of information already, from his credit card company or bank (who make a very nice profit selling those details anyway) for considerably more cheaply and easily than poisoning the entire internet.

This isn't easy, or practical. Sure, if you want to, you can do it, but what is the point? If you're stalking them, there's much easier methods (going through their trash, trawling public records, google searching their name). If you're selling to them, there's easier ways (Buying details lists from credit bureaus, mass mailing).

The problem of secure e-mail has been around for a long time, and many solutions have been proposed for the problem (S/MIME, PGP, Domainkeys), but it's largely a chicken-and-egg problem - Secure mail systems are not universally supported, so it's not used/Secure mail systems aren't used, so they're not supported. Solving this problem is left as an exercise for the reader. Obviously.

Old School Management (0)

Anonymous Coward | about a year ago | (#43766409)

To 'encourage' the employees to leave !

Employees, other than the 'Elites' are the dregs and the scourge 'Modern' Corporations.

Get over it... (1)

wakeboarder (2695839) | about a year ago | (#43766435)

Your data is probably shared all over the internet anyway. Example of this is when you go to sign up for myups, they know who your parents\granparents (and their addresses. They use the info to generate questions to validate who you are, try it, it's spooky). You can't guard you info everywhere, and if someone really wants your information, they will get it. Just don't make yourself a target. I try to limit what goes where, but I don't loose sleep at night about it.

Post Their Details Here (1)

Anonymous Coward | about a year ago | (#43766479)

"What recourse does one have to tell them to desist from such behaviour whilst still doing business with them if their products are otherwise desirable?"

Now that you've got slashdot's attention, you could try identifying them here along with the specifics of their customer privacy issues as you have observed them for others to consider. The Internet will sometimes pick up on that sort of thing and respond in a way that can cause a company to renew its interest in the matter.

I bought a used PC once. I found some stuff on it, including customer data. I contacted the company I had bought it from with suggestions about how to go about wiping drives securely before disposing of PCs. Unsurprisingly, I got a "not that big a deal" response. Mostly for my own childish amusement, I contacted them again and attached a few things that were on the drive, assuring them that I would be happy to either not worry about it or to wipe the drive for them, whichever they wanted me to do. The data included enough to identify the drive as having belonged to a company officer, along with details about one of their clients that they invoiced over $10 million a year, customer data, and porn. I attached some examples of all but the porn, only mentioning in passing that there was also porn. Being a fiendish bastard, I knew that in that case, it would be more effective to let people's imaginations do the heavy lifting. The response that I got indicated a high degree of interest in reducing future privacy deficits.

In my experience, there are only two things that can motivate a corporation to do anything: Sufficient fear, or sufficient reward. If you want a company to change something, it may be necessary to offer them one or the other.

Logo Design (-1, Offtopic)

DAVIDPRESTON (2926859) | about a year ago | (#43766565)

Whether you have an idea of how you'd like your logo to look or you'd rather start entirely from scratch, we'll work with you to create a piece that expresses your professional mission and reflects your style. Logos are made with vector graphics to allow for simple scaling no matter the desired medium. Logo Design [logodesign.com]
Load More Comments
Slashdot Login

Need an Account?

Forgot your password?

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>