Password spamming

When Web companies make deals, sometimes it's not cash that changes hands.

Published June 3, 1998 7:00PM (EDT)

Normally, I delete spam almost before I read it. But the unsolicited e-mail message that I received Monday morning from theglobe.com froze my index finger over the delete key right in its tracks. This particular spam, announcing that I now had a "FREE VIP Membership to theglobe.com ... your friendly full-service integrated online community," included my user name -- and a password that I regularly use on other sites, such as the New York Times and the Wall Street Journal.

I had never visited theglobe.com, one of the handful of companies attempting to strike it rich by offering free home pages and other services to the general Web-going public. But they had somehow gotten their paws on my password -- and, as soon became clear, passwords belonging to some 35,000 other Web users.

By its own admission, theglobe.com screwed up -- a "co-branding" deal between it and the Web site for the magazine Advertising Age went awry. Vance Huntley, chief technical officer for theglobe.com, explained the mailing as the unintended result of the mass registration of Ad Age Interactive subscribers to a special section of theglobe.com's Web site. (I'd registered for Ad Age a while back, and that's where theglobe.com got my name and password.)

But even if this incident was nothing more than a blunder, it should still send a loud warning through cyberspace: In an era of frenzied consolidation and spaghetti-like cross-marketing deals, private passwords are less secret by the day.

What happened? According to representatives of Ad Age and theglobe.com, the heart of the business agreement was an arrangement in which theglobe.com hosts an interactive forum for Ad Age online subscribers --"Ad Age Interactions."

"Ad Age had specifically come to theglobe.com so that we could create an Ad Age community area at our site, where registered members at Ad Age would receive all the functionalities of a community (chat, home pages, surveys, discussion forums, etc.)," says Esther Loewy, director of communications for theglobe.com.

Ad Age wanted to avoid inconveniencing its subscriber base by forcing them to re-register to enjoy the benefits of the new forum. So theglobe.com registered the entire 35,000-strong membership database en masse.

"We wanted to provide a seamless experience for our users," says Brian Quinn, Eastern sales manager for Ad Age Interative. "We didn't want to require them to come up with a new password."

Normally, says Huntley, a standard, automated procedure is set into motion each time new users register at theglobe.com. New users are immediately e-mailed a confirmation of their registration, complete with the username and password they've selected. These confirmations also include pitches for new services -- in particular, theglobe.com's "HomePage Builder" service, "which makes it super easy to get your own HomePage up and running."

Such confirmations are increasingly becoming standard practice for many Web sites that require registration -- even though many privacy experts counsel against ever sending an unencrypted password through regular e-mail. In this case, apparently, no one stopped to think that the mass re-registration of Ad Age subscribers -- which occurred without the knowledge or express permission of those subscribers -- would trigger off a bulk e-mailing, alerting all those subscribers that their passwords had just migrated from one company to another.

"That was not our intent," says Quinn. "The intent of that e-mail effort was to alert our AdAge.com users that their current password, or a close representation, could be used for entrance into our new co-branded online community, Ad Age's Interactions."

"It should be made very clear that Ad Age did not sell this list to theglobe.com for any promotional use on its own behalf," says Quinn. "In fact, we have never previously made this list available to any outside marketer. As stated before, our intent was to create a more positive experience for our users."

Unfortunately, the message from theglobe.com never mentioned Ad Age or the new Ad Age Interactions community. So instead of a seamless experience, the recipients of theglobe.com's mailing received a jolt.

Theglobe.com's Loewy conceded that "Ad Age should have notified their members of this promotional campaign prior to the campaign ... they are sending out an e-mail today to all their members, explaining the deal." But she also noted that Ad Age Interactive had run advertisements promoting the new Interactions site.

"We assumed that the month-long campaign was promoted sufficiently to Ad Age members so that they would be aware of their instant membership to theglobe.com when we sent out our usual welcoming e-mail to new members," says Loewy.

Instead, Ad Age stepped right on a land mine, outraging a group of Web users who are particularly sophisticated in the arena of advertising and marketing. By early Monday evening, theglobe.com's Huntley said that he'd received about half a dozen calls about the password spam. And he sympathizes with their concerns.

"I hate getting unsolicited mail of any kind," he says, "and it has always been our policy to say, hey, you're getting this mail because you typed your e-mail address into our Web site. This was an editorial oversight, but it has had bad repercussions. I think that it would have made a lot more sense to indicate to users what was going on. But alas, the mail has gone out."

"The really annoying part of this from my perspective is that the members of Ad Age tend to be a fairly technically savvy crowd," says Huntley. "We've been getting all kinds of interesting commentary."

Judging by the e-mail I've received since first publishing this story, few people reacted warmly to the sight of their own password, in plain text, sent to them by a complete stranger.

"There's kind of an implied sacredness to a password," says Bob Little, the moderator of a mailing list inspired by Marshall McLuhan, and a recipient, Monday morning, of the message from theglobe.com. "But the fact is you have no control over this."

"It's incredibly devious, if you look at the way the e-mail is phrased," says Little. "The essence of spamming is to make you feel that you might have actually wanted [the message] -- the whole idea is to delay the finger from deleting it. So here comes this message. It does not say you've never dealt with us before. It says you're now registered, here's your user name and password -- and it's the same one that you've used before, maybe a dozen times. Your first thought is, when did I register for this? I think a lot of people might go through this. We knew right away we never did this, and we're tired of people putting us on lists. It's really gross."

So is it likely to happen again? For Ad Age and theglobe.com, does this unpleasant incident get chalked up as just another learning experience?

"What we highlighted here is that we are not as sophisticated about it as other operations might be," says Huntley. "Had this been the 20th time we'd done this, perhaps there would be standard operating procedure to deal with this eventuality. This is the first time we've had anyone call and complain about this kind of issue. I think there are other folks doing it a lot more and that they have procedures in place to deal with it."

And there's the real problem. How often is this kind of mass re-registration of subscribers going on in the Web world? In the offline universe, mailing lists get bought and sold with increasing frequency. But private passwords? Is such user information being traded between companies -- and how often is it being used? Just think of one potentially disturbing possibility: Microsoft recently bought Firefly, the owners of a database far larger and more detailed than Advertising Age's. Microsoft now has access to all Firefly user preferences, not to mention their passwords.

Of course, Microsoft is probably smart enough not to send a bulk e-mailing to all those users that included their passwords printed in plain text. And they shouldn't. On the other hand, at least such blunders let us know what companies are up to with our information. Do you know where your password is tonight?


By Andrew Leonard

Andrew Leonard is a staff writer at Salon. On Twitter, @koxinga21.

MORE FROM Andrew Leonard


Related Topics ------------------------------------------

Privacy