Please create an account to participate in the Slashdot moderation system

 



Forgot your password?
typodupeerror
×
Privacy

Micropayments Company Coil Distributes New Privacy Policy With Email That Puts Users' Addresses in the 'To:' Field (theregister.com) 22

Micropayments company Coil has emailed users its new privacy policy but placed hundreds of their addresses in the "To:" field and therefore breached their privacy. From a report: The mail had the Subject line "Updates to Coil's Terms and Privacy Policy" and offered links to the document. The Register has read it and can report that while it reveals that Coil seeks permission to share users' details with service providers, partners, and "related entities." We cannot find a clause that resembles: "We reserve the right to expose your email address to countless other Coil users in the 'To:' field of an email."
This discussion has been archived. No new comments can be posted.

Micropayments Company Coil Distributes New Privacy Policy With Email That Puts Users' Addresses in the 'To:' Field

Comments Filter:
  • Empty words (Score:5, Informative)

    by Scutter ( 18425 ) on Tuesday November 17, 2020 @11:15AM (#60734504) Journal

    Unfortunately, due to a human error related to how we interface with our mailing list provider, a number of users' email addresses were populated alongside yours.

    This mistake is especially painful as we take privacy extremely seriously

    But not, apparently, seriously enough to properly train your marketing department or automate in a way that prevents this sort of problem in the first place. In other words, you're lying just like every other company who claims to take privacy seriously.

    • I'd hate to be the guy in DevOps that bungled this.

      • As with most companies that collect user data, their main goal does not seem to be privacy (in spite of the existence of a "privacy" policy), but the monetization of that user data. This company just seems to have said the quiet part out loud.
        • Almost all companies take privacy very seriously. In fact, it is their primary goal. But they care about their privacy, not yours. Any official privacy policy is a way for them to keep their own dealings private, while lying to you in writing.
    • by hey! ( 33014 )

      Hmmm.. Sure training helps *some*, but a secure system has to be built around the assumption that even trained users are unreliable.

      If you want to *enforce* security, you have to restrict access to sensitive information. If user email addresses are sensitive, then use of those addresses probably needs to be done exclusively through something like a CRM system. If users have access to those addresses they *will* misuse them, even if you train them not to. At the very least you need to make it sufficiently

      • by ahodgson ( 74077 )

        Training might mean teaching users how email actually works. Given the conversations I've had at least monthly for the last 20 years, I assume that's impossible.

  • Too many companies wanting a cut of a small pie. Even with cash, no one wants to mess around with low denomination coins they are simply just pocketed and forgotten about when an x.99 product is bought.
    • The problem is most sites will only go one way. If I am exposed to Ads I want some Micro transactions sent back to me.

  • by battingly ( 5065477 ) on Tuesday November 17, 2020 @11:38AM (#60734600)
    We have no laws in this country that require companies to take privacy seriously, so there is no incentive for them to do so. The endless apologies like this one that we see every day have long lost any scent of sincerity.
  • Who needs the BCC field? Reply-all storm in 3...2...1...

    • Why not just do individual emails? Then the customer's privacy is respected, and it is less likely to be filtered out as SPAM. Having no one in the To: field and only recipients in the BCC field would quite likely get it marked as SPAM as well.

      I'm also curious about the configuration of their mail server that allows 500+ recipients in the to: field in one email. Unless the script writer was clever, and broke the To: list into $server_limit - 1 sized chunks. Ah, looks like the server limit of email was 1

      • by ahodgson ( 74077 )

        The BCC field is only a "field" on the sending side, it doesn't get transmitted. Sending the same message BCC'd to 100,000 people has the identical effect on the receiving end as sending 100,000 individual messages

        Although, if you do send individual messages you can put the recipient in the To: header, which _may_ have some effect on recipient filters. I know I add filter points for bcc'd messages from non-whitelisted senders.

  • Never fall back on "We care about privacy", because you don't, which is why this issue happened in the first place. I'd be interested if that email was accompanied by a PGP public key, which is almost the bare minimum required for "privacy" aware email?

    It's amazing how many companies take privacy seriously, and care deeply about their privacy practices, yet don't seem to understand or grasp what "privacy" means in different contexts. I've honestly lost count of the number of companies who don't utilize P
  • by theshowmecanuck ( 703852 ) on Tuesday November 17, 2020 @12:35PM (#60734824) Journal
    Does anyone really think their email addresses are private anymore? It's like posting shit on the internet, once it's out there it's probably going to end up public eventually anyway. I just care whether they have proper access and authorization functionality.
  • Really, this company fucked up and the best thing they can say is "OK, we screwed up". No fake sorries, no long winded excuses, nothing.

    Every word they say in their excuse piece just buries them deeper.

  • Email has been around since 1971 so its secrets should be known by now.

/earth: file system full.

Working...