20 October 2013

Reverse Identity Theft



XKCD totally gets it! I am an early adopter. I joined and paid for Blogger when Ev was still in an apartment on Judah St. My Twitter number is only 6 digits. I’ve had an Amazon account since 1998 or so. I’ve had my gMail account only a tiny bit less: certainly it was this millenium, but it was before 9/11.  I can still see the office I was sitting in the day I got my invite - and sent out a few to friends who asked.  Back in those days you could still do cool things like hold raffles on your website:  “I’ve got some more gMail invites, the first ten of you to write and post a Haiku about how awesome Cherry iMacs are (and link to me) will get one...”  The cool thing is that I was in so very early that I managed to get my first initial and last name at gmail.com with no numbers or other qualifiers at all.  



I’ve got a common last name.  You’d may not be surprised how many people think their email address is mine.  Over the years - including once whilst writing this article - I’ve very politely written back to a number of parties and said, “I think you’ve sent this to the wrong address.”  Other parties have registered my email address assumedly by mistake, or else used my email address to avoid spam in their real address.  There are a lot of my first initials out there.  There would be my real name, eg, Huw, then Hugh, Henry, Hyrum, Harry, Harold, Halley, Heather, Henrietta, Haighlea, Harley etc, and then because it’s gMail and the punctuation doesn’t matter, there’s h. and h- and h_ in all of its possible permutations.  Then there’s typos - as the most recent one was (evidently the party left out a middle initial in the address).  


So for the humorous, yes, one party put my email address on her bridal registry:  I do hope she liked all the avocado green place settings.  I couldn’t resist.  There were travel documents - one airline with whom I was already registered kindly assuming that anyone using my address must actually be me - I could have cancelled them, at least they didn’t ask me to pay for the tickets to Europe!  Magazines constantly send offers to me thinking they are reaching more appropriate folks.  One party in England used my address to register at a couple of very posh eateries of the sort that bother to write personal emails to invite you to come back to dinner.  One party in LA uses my address, still, for just about everything - and her parents don’t seem to remember me every time I have to write and say “I’m not your daughter.”


Honestly, I only get annoyed when they keep contacting me after I’ve clicked unsubscribe or when I’ve contacted them once to say “Not me”.  The only thing more annoying is the woman who owned my phone number before I got it and bounced a lot of checks.  After eleven years with this phone number I still get calls from claims investigators looking for this scofflaw from North Carolina.


The security aspect, however, wasn’t quite clear to me until one party registered his first initial and last name at gmail.com (my email, that is) as his email on his SAT.


With no way to turn it off until it was too late, the SAT sent his score and my email address to just about every college in the known universe.  I was able to tell the SAT they had the wrong address with one click, but the report had been sent out already.  At my address, he was offered scholarships, invitations for visits and telephone interviews if he couldn’t show up.  I heard about visiting days, advanced programs and work-study options.  Most of these had “unsubscribe” links at the bottom and since I couldn’t be bothered to track any of this I did, just as a matter of course, click unsubscribe on everything.  Those that didn’t have unsubscribe were blocked as spam (thank you, gmail for an excellent filter) and, after a couple of months, it all stopped.  But as the next admission cycled rolled around, a few colleges decided to try again.


After clicking unsubscribe one morning, suddenly I was staring at the home address of my erstwhile kin! One college, a tiny school in Missouri, didn’t unsubscribe, but rather invited someone to “confirm their account settings.”  I tried it again, yup: his home address and phone. No, I didn’t call him and say, “Hey, I’m the reason you never got your SAT scores or that scholarship to Harvard.”  Instead I contacted the college admissions office and said, “This may be a FERPA violation.  You’d better check.” Of course it wasn't their fault - but it seems kind of odd to reveal so much information based on an unverified email.


Since that time, I’ve had more shocking events.  People often send the most revealing photos to the wrong address.  The email today was a photograph of handwritten account information, including phone numbers and, one assumes, some kind of UK personal ID number.  I was most horrified at the Real Estate agent in Ontario that kept sending me loan documents for a family (that had given the wrong email) even after I asked for her to stop.  My assumption is that she called the family to confirm the email address and that they, again, gave the wrong email.  But really, when you get email from an address, that’s about all you need. Loan documents.... with a lot of info on them. Just imagine that for a minute: with whom would you want to accidentally share your banking information?


This is what happens when you either mistype the intended email address or else give the wrong email address: you share personal information. Full stop.  It's not "Reverse Identity Theft" so much as "Free Identity Give-away". You've created a security leak on your own: and how much of one depends entirely on the company with whom you're doing business.


You may share it with someone  who is kind-hearted and who will write you back and say ”you’ve reached the wrong address” or you may not.   You may reach someone who changes the color of your place settings, or you may share payment information or banking information in a way that can put you at risk!


After more than two decades in customer service of one form or another, I no longer think that most of these are mere mistakes.  I’ve worked for ISPs and websites. I’ve managed customer files for employment agencies and for IT departments in colleges.  Over and over people do not know their email address.  That’s not a mistake: that’s stupid.  “Ma’am, that address is not in our database. Sir, there is no account with that address.”  I have no idea how they manage to do this.  To me it’s like not knowing your own phone number.  Yes, certainly, it may be hard in a given moment to remember your own number - I never dial it, you know!  But after a moment you remember it and go “Ah, yes”.  And yes, certainly, people have multiple email addresses - I’ve got 7 or 8!  But again, it’s like your work phone and your home phone, or, better, your land line, your cell phone and your work phone and the fax number at the office - all of these are usually within easy reach of whatever passes for the remainder of my memory.


Uncharitably, either the vast majority of users are so very dense as to be unable to find their hometown on a map, or else  - with a bit more charity - they are just making up stuff to avoid giving out personal information over the internet.  “I’ll just say my email address is bilbo at baggins dot com and it will all be ok”. But that is just as stupid. Someplace Bilbo is waiting to get the next email and he may have nefarious plans on your precious information.


Right now I’m dealing with a very annoying case: a party used my email to register her B&N Nook.  Now, I’m greatly astonished that there was never a validation email: click here to validate your account. Sure, I never had to validate my Kindle - but I've had the same address on my Amazon account for over a decade: that address was validated back then. I’m equally astonished that it took several weeks of conversation with B&N to get someone to contact their customer and asked her for a proper email address.  I’ve even called B&N and they won’t talk to me about the account because I can’t validate it!  But I could reset the password. Why would a customer do this?  Why would a company not want to correct it?  Who knows.

Again, when you either mistype the intended email address or else wilfully give the wrong email address you share personal information. Full stop.