Like most tech geeks, I own multiple domain names and dozens of email addresses. I have configured many of my email servers with “catch-all” or wild-card forwards that allow mail sent to any address at a particular domain to be delivered to a particular inbox. One of my uses for this setup is to allow me to use unique email addresses when I give out my email address to online businesses. Doing so allows me to filter incoming email, immediately gauge the priority of email, and track if my email addresses leak beyond the online company with which I originally shared it.

With two notable exceptions, email addresses I have given out to companies end up being used by them only for legitimate business communications. The two recent exceptions: Addison-Wesley and Lands’ End. Spam is making email less and less useful each passing month as hundreds or even thousands of spam messages flood my inboxes daily. I always thought of the people who sell or trade email addresses for spam use were faceless individuals operating from their living rooms, not major companies like Addison-Wesley and Lands’ End or their affiliates.

With Addison-Wesley, I signed up for an email list several years ago for announcements of new technology titles. For a while, I received emails from Addison-Wesley every month or so announcing its latest technology books. The mailing list was low-volume and useful.

I no longer receive announcements of new books from Addison-Wesley. But the email address I gave them is now used by spammers several times a day to send me unsolicited commercial email messages. Here are some headers to a spam email I received tonight advertising “Cheap Vl x AG x RA”

Return-Path: <olmedaa@iskiv.net>
Received: from iskiv.net (lns-bzn-22-82-249-89-146.adsl.proxad.net [82.249.89.146])
by [my email server] with SMTP id k9T7mmeJ029902
for <awbookalert@[my domain]>; Sun, 29 Oct 2006 07:48:54 GMT
Reply-To: "Romano Wischmeier" <olmedaa@iskiv.net>
From: "Romano Wischmeier" <olmedaa@iskiv.net>
To: awbookalert@[my domain]
Subject: Re: 693

Now, with an email address like “awbookalert,” you figure no spammer stumbled onto this address by guessing. More likely, the spammer purchased the address from someone who stole it from Addison-Wesley’s computers, or Addison-Wesley gave it away or sold my email address for use by spammers. I consider it unlikely this email address was stolen from my computers because I use several “alias” email addresses and have had a problem only with this one I gave to Addison-Wesley.

I checked Addison-Wesley’s privacy policy to see if they protect email addresses as private information. You know what? They don’t. Addison-Wesley treats as private “your name, address, phone number, date of birth, job, personal interests, and credit card information,” but your email address is not covered by Addison-Wesley’s privacy policy. Addison-Wesley, and parent company Pearson Education, should be ashamed to have a privacy policy like this where email addresses are not held in confidence.

Another company contributing to spam is Lands’ End. My wife ordered clothing a few weeks ago online from Lands’ End, again using an email address unique to this one transaction. Lands’ End sent two emails to this address: an order confirmation and a shipping notice.

Last week, though, she received an email sent to this unique address from a company advertising self-confidence books. Her thought was Lands’ End either suffered a computer security breach, and the thieves sold her email address to spammers, or this publishing company is affiliated with Lands’ End. Lands’ End’s privacy policy acknowledges the company shares private information with business partners. My wife called Lands’ End to find out how this publishing company obtained her email address.

The Lands’ End customer-service representative my wife spoke with assured her the publishing company is not affiliated with Lands’ End, and that Lands’ End experienced no data security breach. The spam must have originated, she said, by someone breaking into her ISP’s email server and stealing that address.

Yeah. Uh huh. Someone broke into an email server and stole a solitary email address. These thieves overlooked the dozens of other email aliases on her server and focused solely on this one email address she shared with Lands’ End. (Her email server is different from mine, by the way, eliminating the possibility that a single server was the source for both these email addresses picked up by the spammers.)

If Lands’ End’s computers were not broken into, it seems likely one of its business partners is using email addresses in ways not sanctioned (or at least acknowledged) by Lands’ End. A possible partner could be Coremetrics, a company that provides website analytics for Lands’ End. Lands’ End says they share website information with Coremetrics, but the “data that they collect for us [cannot be used] for any other purpose.” Interestingly, the self-help publisher who sent my wife the spam also is a Coremetrics customer.

I don’t want to cast aspersions on Coremetrics. They have many online retail customers. What I want to ask Lands’ End is which is more likely:

  • Hackers broke into two of our ISP’s email servers and stole one email address from each?
    • One of your business partners is violating the confidentiality of your customer information?

      • A hacker broke into your computer system and stole information? </ul> I would think the likelihood of the latter two scenarios to be much higher, and a much higher concern to Lands’ End.

        If companies don’t want to suffer black eyes when the public discovers how casually or carelessly they treat their customers’ information, they need to start treating data privacy more seriously. The alternative, they will find, is that Congress will receive enough pressure from Americans so fed up with spam and identify theft that they will tighten data-privacy laws to make it a criminal offense when what should be private data leaks from their computer systems. When the first CEO goes to jail for contributing to spam or identity theft because the company treated customer data carelessly, perhaps that’s when we’ll see companies treat customer data with more seriousness and care.