Sunday, January 26, 2020

Verify that Email Address!

I Get Confidential Email,
and My Own Email Address Can't be Used

 Last week I received the complete travel itinerary of a couple who're taking a trip on Southwest Airlines.  I have their full names because the TSA says so, that's why.  I know when they won't be home and where they're going.  I know when they're coming back.  They live in a medium-sized town in Texas and one of the couple has a somewhat unusual first name, so it was pretty easy to find their home address.  It's a good thing I'm not a burglar!

Today I created a new AppleID because I got an Apple device for the first time.  I couldn't associate my Gmail address with that account because it was already in use.  Apple accepted my alternate email address without verification.

Someone set up a teacher account at using my email address.  This unknown person with unknown motives is now able to enroll students, possibly your kids... as me!  (I used the "forgot password" function to take over that account and protect your kids.)

I know people who routinely receive email for people in other countries and court filings that should be confidential at least until they enter the public record.  Same story.

How could such things happen?  Southwest, Apple, and DeltaMath were very careless; they blindly accepted the email address that someone typed into their form.  They simply don't care about either the quality of their databases or the security of their customers.

Email can go astray in a number of ways.  A simple error in entering an email address could inadvertently change it to the valid address of a third party.  A person who is concerned about unwanted email might deliberately provide a “false” address that is actually the correct address of an unknown third party.  Although unlikely, it is not impossible that  someone could be the target of criminals who gain unauthorized access to the person’s email.

Legitimate Companies Verify Email Addresses

OK, spammers are never going to do this, but every legitimate company should verify every email address before accepting it as legitimate, and certainly before sending anything confidential to that address.  It's not hard, and the cost after implementation is extremely low.  I guesstimate that, in a professional setting, this would take a person-week, including specifications, managerial approval, and quality control.  Actual coding should take much less than a day.

Legitimate emailers should add to their customer databases an email status indicator with values unconfirmed, confirmed, and invalid.  When an email address is first added to the database, the status should be set to unconfirmed and an email to that address should be generated automatically.  The email should thank the person for providing an email address and should have a prominent link by which the recipient can confirm the email address and consent to receiving email from the sender.  Clicking the link should change the status to confirmed.

The same email should have a “this isn’t me” link; clicking the link would set the status to invalid.

No legitimate company should never send email to an address with a status of invalid.  Whether to send anything other than the confirmation message to an unconfirmed address is a business decision, but I’d recommend against it in order to protect your customers’ privacy.  It might be better to send another confirming email if there is further interaction with that particular customer.

The status of existing customers should be set to unconfirmed, or perhaps pending, and a confirming email sent when there is new activity on the account.

Well, then Why Not?

Companies  that don't bother to do this are either spammers or they simply don't care about either the quality of their databases or the security of their customers.  That's especially true in the case of companies that send information that's even mildly confidential.