Interesting post. If email addresses were to be considered confidential, then what of directory harvesting attacks? Would companies be required to monitor/prevent such attacks and notify upon successfull attacks? If the company could prove the address was already public (Google), would that trump notification?

I believe Florida considers e-mail addresses to be in the public domain. I noticed a disclaimer on a town government website.

I note that CAN-SPAM (aka "you can spam") does
make automated harvesting and usage for
commercial spam (as opposed, unsurprisingly for
an act written by politicians, to political et
al spam, which is just as bad) illegal.

It should be assumed that when you give your email out to a company, it will be sold, traded, and bartered by the companies. Email addresses are free, so most people I know have "dump" email addresses whose only use it to validate accounts. Mine is my hotmail address. I empty it once per month without even glancing at the contents. If a company proves itself with hotmail, I'll upgrade to yahoo, then aol, then one of three gmail addresses I have. My personal correspondence is done with only one email address that only my closest friends--an NO businesses--have. I have never gotten a spam email on that account because of this tiered-trust system. As the person in your article said, it may also be worth it to create unique accounts for each business you perform transactions with.

The statement that your source asked to remain anonymous "to avoid any further risk of identity theft" is a real stretch. After all, an email address does not equate to one's identity. Caution is always the best policy where email is concerned. If you aren't certain of the source, you're better off ignoring or deleting the message. If you've been scammed by a phishing attack, rather than search for someone else to blame, just look in the mirror and consider yourself wiser for the experience.

woody writes: "The statement that your source asked to remain anonymous 'to avoid any further risk of identity theft' is a real stretch. After all, an email address does not equate to one's identity."

It's even more of a stretch when you consider the fact that identity is the one thing which, by nature, cannot be stolen. The term "identity theft", like "personally identifiable information" (no, the *information* is not personally identifiable; the *person* is), is just one more salvo in IT management's ongoing war to replace all sensible technical language with mumbo jumbo.

Yes this is private data. Yes this could mean a way of getting at companies 'in denial' and slacking in terms of security. So it's good on two points.

Email addresses are emphatically not private data. This is because they are exposed to parties not specifically authorized to view them by *necessity* as part of the SMTP protocol. Any email address you use ends up in the logs of typically at least two and often as many as five distinct mail servers, every time it is used. In addition, since TLS between mail servers is rarely employed, most transactions between mail servers happen in the clear; email addresses, therefore, are exposed to numerous unrelated parties, especially people who work at ISPs or peering points.

If data is to be considered private, at least some effort must be made to keep it that way while it is being used. Any data that is necessarily exposed to third parties in the normal course of its use cannot be considered private.

This is not to say that it is not a good idea to use distinct email addresses as much as possible when doing business online. I create a distinct email address for every company I provide an email address to. This allows me to determine easily when one company has shared my contact information with another, wittingly or unwittingly, and as a side effect, I can terminate any such email address at will without disrupting communication with other parties. I have this luxury, however, mainly because I operate my own mail server; others have more limited ability to use many email addresses effectively.

antibozo is quite right. I think the bigger point though is what constitutes an "username" protected by a "password". If a business is so stupid or lazy to protect their customers' information with an easily guessed user name (e.g. an email address) they have lost the battle beforehand. Consider for a moment that your ATM card has a large random component (the number) and the PIN. Put another way, why do we have vanity license plates but not vanity MasterCards?

GTexas> I think the bigger point though is what constitutes an "username" protected by a "password".

There is certainly usefulness in using unique usernames wherever possible. Here's an example: some years ago I signed up for a new ISP account from one of the local DSL providers, and used my unusual last name as the username, and consequently received an email address of the form lastname@isp.example.net. Lo and behold, this spanking new address started getting spam almost immediately, though I had never used the email address for any correspondence whatsoever. Initially I thought the ISP had sold an address database to some unscrupulous outfit, but later I realized that there are some spammers out there who simply combine a every username they've seen with every domain they can find and blast out spam to every address that results (you notice this when you run a few mail servers). To defeat this, it is necessary to use a completely unpredictable value for the username as well as the password.

As far as it buying you real security, well, if you follow Kerckhoffs's law, you make sure the password alone contains all the security you need:

http://en.wikipedia.org/wiki/Kerckhoffs%27_principle

GTexas> why do we have vanity license plates but not vanity MasterCards

Well, it doesn't satisfy vanity, but many credit cards do provide single-use numbers. You generate a new number for each online merchant and the number is henceforth restricted to that merchant. Some cards also let you set individual credit limits for the generated numbers. But I'm guessing you already knew that...

Antibozo, thanks for the link.

I too have a very unusual name not at all the sort of thing spam filters like, but I've had it since long before there was spam. I've spent hours coming up with a username combination some computer didn't think too rude.

My point about the vanity MasterCard was that not having a "BillGates" card number protects Bill and with a great deal of dilution, the rest of us 14 digit numbers. I'll bet Bill Gates' MasterCard thinks better of "security through obscurity" than cryptographers of the link do.

An interesting conundrum here. The subject of this article relates directly to the policies Washingtonpost.com applies to posting comments. E.g., "...entries that are unsigned or contain "signatures" by someone other than the actual author will be removed. ..." So posting in and of itself exposes a portion of my email address; the domain name (@aol.com or whatever) is typically any of a finite set that a spamming computer can riffle through in a heartbeat. Unless there's more to te policy than what is published -- Viola, anibozo, GTexas, rick, woody, Craig, and whoever get spammed. Interesting -- but clearly a consequence of being a participant, n'est-ce pas? Secrecy of an e-mail address is no more viable than secrecy of your dwelling address. Countless people can read either one without your consent or knowledge.

L L L writes: "It should be assumed that when you give your email out to a company, it will be sold, traded, and bartered by the companies."

That depends on the company's online privacy and customer information use policies. Some companies explicitly state that they will never release their customer's contact info (including e-mail addresses). Other companies, and in particular contest submissions, explicitly state that they *will* sell or otherwise distribute the likeness, name or contact info of an individual.

Paying attention to the fine print and making choices about which companies with whom you do business can positively impact your privacy and the responsible companies' bottom line.

While I understand the 'honeypot' method of e-mail account creation and use, modern day spam filtration AND the use of custom mail filters renders the use of a single e-mail account feasible.

CB (comment above) is correct with regard to US data. US law focuses on a company doing what it says it will do as stated in contracts and its website privacy policy. In this case, salesforce.com has said the customer must opt-out to have their information safeguarded - so privacy breach must be evaluated on a person-by-person basis. However, salesforce.com also has a significant EU customer base and a Safe Harbor agreement. As such, it has agreed to hold all of its data to the EU standard. From a privacy perspective, they are on thin ice.

DSolomon> CB (comment above) is correct with regard to US data.

There may be technical information that is correct, but CB is dead wrong in contradicting what L L L wrote:

L L L> It should be assumed that when you give your email out to a company, it will be sold, traded, and bartered by the companies.

L L L is correct. It doesn't matter what privacy policy a company follows because eventually that company may merge with or be bought by some other company, or it may go bankrupt and have its assets, including databases, sold to someone else. Even if a privacy policy should theoretically bind a third party in such circumstances, in practice it doesn't. And if that weren't enough, company-held databases are compromised constantly, so their privacy policy is irrelevant.

The only safe assumption is that any information you provide to a company will be shared with a third party one way or another. Technical security measures exist because people violate policies. This is no different. By CB's logic, you don't need locks on your doors, because no one will come into your house and take your things since theft is illegal.

Whether email addresses are private or not aside; I'm more interested in how the data was stolen from Salesforce. Were they hacked? Was it via a phishing attack against one of their customers? A lot of companies use Salesforce so a data theft from them could be really bad.

A.O.> I'm more interested in how the data was stolen from Salesforce.

http://blog.washingtonpost.com/securityfix/2007/11/salesforcecom_acknowledges_dat.html

I don't understand the idea of staying confidencial if you send someone a email. Usually such methods are used be spammers.

http://alierra.com/website-hosting.html

Cool topic! ;)