EmailDiscussions.com  

Go Back   EmailDiscussions.com > Email Service Provider-specific Forums > FastMail Forum
Register FAQ Members List Calendar Search Today's Posts Mark Forums Read
Stay in touch wirelessly

FastMail Forum All posts relating to FastMail.FM should go here: suggestions, comments, requests for help, complaints, technical issues etc.

Reply
 
Thread Tools
Old 14 Apr 2018, 03:52 PM   #16
miguelm
Member
 
Join Date: Sep 2006
Posts: 49
Quote:
Originally Posted by ferrety View Post
The last contact that this Communications Manager made to me was at 07.33hrs UK time yesterday (16.30hrs Melbourne Australia time). They thought to tell me what I was feeling, apparently I would "be pleased to know" (I wasn't). Also I was told that it was fine because they had told the survey company not to contact me. They seemed to think that made it all ok.

Bron's post here was written nearly five hours later at 12.16hrs UK time (21.16hrs Melbourne time). Making it look like they were talking to me. Yet the CM had ignored me for five hours at that point, it is now over 22hrs since she emailed me. I've barely slept, it wouldn't have killed her to respond to my email were I answered her questions before they left for the weekend.

It is the forum members that have answered one of my questions about changing the primary email now Fastmail have given it out. Thank you to the forum members for that. I had asked the CM this but she hasn't answered.

I had no idea that this person was a CM I assumed from the way she was saying that it was fine because they told the survey company not to contact me that she was a normal support person. Another support person told me it was a phishing email. They said that I had to put the survey email a special folder so Fastmail could see it.
I pointed out that I had already forwarded the email to them with my initial complaint & that another support person had already said Fastmail was responsible.

What bothers me most is the initial response telling me just unsubscribe. I've just told you that you have compromised my account & that is the response.
I have to agree with you, this did not happen to me but one of the main reasons I still keep my fastmail paid account is exactly because I thought they were more careful about this, hm I might think in just use runbox from now on if they don't get this fix.
miguelm is offline   Reply With Quote
Old 14 Apr 2018, 04:42 PM   #17
brong
The "e" in e-mail
 
Join Date: Jul 2004
Location: Melbourne, Australia
Posts: 2,696

Representative of:
Fastmail.fm
The issue has now been escalated directly to me, and I have replied outlining both the steps we have taken, my apology on behalf of the entire company, and what we can do in future to monitor the address and see if the exposure to a known third party has resulted in it being used by spammers.

I am quite happy to have all our interactions published.

My apologies for the delay in posting that initial response here. When I became aware of the issue, I was on a standing-room-only train at the time traveling to my father-in-law's house for family dinner.

Given that there was no timely element involved:

* the exposed data was an email address
* the related threat is receiving spam messages to the primary account name
* the mitigation is renaming the account, which can happen at any time and stop the flow of spam
* there was no evidence that there was an immediate flood of spam to the account, so delaying that rename by some hours made no difference

.. and since I've been overseas for the last month and this family dinner was the first one in a while, I politely waited until after dinner to sit down at my laptop and give this issue my full attention.

If my assessment of the urgency was incorrect, I apologise for that as well.

Regards,

Bron.
brong is offline   Reply With Quote
Old 14 Apr 2018, 05:07 PM   #18
ferrety
Member
 
Join Date: Mar 2018
Posts: 53
Quote:
Originally Posted by brong View Post
The issue has now been escalated directly to me, and I have replied outlining both the steps we have taken, my apology on behalf of the entire company, and what we can do in future to monitor the address and see if the exposure to a known third party has resulted in it being used by spammers.

I am quite happy to have all our interactions published.

My apologies for the delay in posting that initial response here. When I became aware of the issue, I was on a standing-room-only train at the time traveling to my father-in-law's house for family dinner.

Given that there was no timely element involved:

* the exposed data was an email address
* the related threat is receiving spam messages to the primary account name
* the mitigation is renaming the account, which can happen at any time and stop the flow of spam
* there was no evidence that there was an immediate flood of spam to the account, so delaying that rename by some hours made no difference

.. and since I've been overseas for the last month and this family dinner was the first one in a while, I politely waited until after dinner to sit down at my laptop and give this issue my full attention.

If my assessment of the urgency was incorrect, I apologise for that as well.

Regards,

Bron.
The related threat is that the email address is being given out to an outside company (& in another country) which could itself suffer a data breach. And many of theses breaches aren't know/admitted until years later .

In future as you are going to continue this practice. How about automatically creating an alias within each account & giving that out to your survey friends & whoever else instead of giving out our login email
ferrety is offline   Reply With Quote
Old 14 Apr 2018, 05:34 PM   #19
lpn
Member
 
Join Date: Apr 2007
Posts: 72
Quote:
Originally Posted by brong View Post
...
Given that there was no timely element involved:

* the exposed data was an email address
...
Without going into a discussion whether GDPR is relevant or applicable to Fastmail, in many cases an email address is considered personal information under GDPR. What I am trying to say is that the email address is a sensitive information and should not be released to a third party.

Moreover in this case a survey could have technically been done without releasing any email addresses to the third party, e.g.
  • in-house hosted survey, or
  • creating temporary forwarding addresses that are to be given to the third-party and the one email from that company could have been forwarded to the real email address.
  • another option is for the survey company to create a list of links and these to be put by a script as email messages in the recipients' mailboxes or displayed in the web interface upon login.
lpn is offline   Reply With Quote
Old 14 Apr 2018, 06:13 PM   #20
17pm
Cornerstone of the Community
 
Join Date: Sep 2013
Posts: 536
Quote:
Originally Posted by TenFour View Post
Two things. A blog post questionnaire would not be accurate and is easily gamed. A professional survey company will choose a sample that more closely represents the users of Fastmail or whatever subgroup they wish to know more about.
They could easily only accept answers if the questionair was answered by someone whose account followed certain criteria. I don't think it would be hard to apply selection criteria.

Regarding the rest of your comment, it's bad practice to share your costumers email address. This is not even a discussion. Your customers shouldn't have to waste their time blocking spam that was caused by the email provider itself. There are also possible privacy/security implications.

Quote:
The issue has now been escalated directly to me, and I have replied outlining both the steps we have taken, my apology on behalf of the entire company, and what we can do in future to monitor the address and see if the exposure to a known third party has resulted in it being used by spammers.
You are ignoring a whole range of issues here, in my opinion. Receiving spam is not the only problem with what you just did. Monitor the address for that will not solve the fact that you shared an email address with a third party without the consent of the owner. And your TOS probably mentions something about third party usage but still.

Last edited by 17pm : 14 Apr 2018 at 06:21 PM.
17pm is offline   Reply With Quote
Old 14 Apr 2018, 06:55 PM   #21
JeremyNicoll
Essential Contributor
 
Join Date: Dec 2017
Location: Scotland
Posts: 483
Quote:
Originally Posted by TenFour View Post
Two things. ... A professional survey company will choose a sample that more closely represents the users of Fastmail or whatever subgroup they wish to know more about. ... In any case, it seems like a mountain made out of a mole hill. .
I'm interested in how you think a professional survey company can choose a sample... without having been told (by Fastmail) more about each of us than 'just' our login email addresses.

And, it's not a mountain out of a mole hill. Like others here, I treat my username email address as a secret value. I do not use it as an email address. Anyone who knows it has half the information they need to login to my account. Having that released to any company no matter who they are annoys me a great deal. And... it matters not a jot what a third party's privacy policy is - disgruntled employees selling on lists of working email addresses are not likely to pay any attention to a privacy policy.

However I did not previously realise that it's possible to change one's username. That does at least make damage limitation possible.
JeremyNicoll is offline   Reply With Quote
Old 14 Apr 2018, 08:25 PM   #22
Terry
The "e" in e-mail
 
Join Date: Jul 2002
Location: VK4
Posts: 2,995
Why did F/m give out the main address surly they could have used just an alias from each account.
Terry is offline   Reply With Quote
Old 14 Apr 2018, 11:17 PM   #23
TenFour
Master of the @
 
Join Date: Feb 2017
Location: USA
Posts: 1,684
Quote:
I'm interested in how you think a professional survey company can choose a sample... without having been told (by Fastmail) more about each of us than 'just' our login email addresses.
For example, the survey company might choose accounts that have been active at least one year. There are many criteria that are not personal information. They might want to only survey 5% of people using a certain service level. Online polls are notoriously unreliable.
TenFour is online now   Reply With Quote
Old 15 Apr 2018, 02:34 PM   #24
solenoid
Junior Member
 
Join Date: Oct 2010
Posts: 8
Quote:
Originally Posted by ferrety View Post
My login name isn't secret anymore thanks to fastmail. If Experian can get hacked so can their survey company
And, by your logic, so can FastMail.

Moreover, the Experian hack occurred as the result of mind-boggling negligence where a patch was not applied for a long-disclosed security hole in one of the most widely distributed pieces of server software on the planet. Is that what you're suggesting is going on here?

Not to dismiss your concerns out of hand, but perhaps you're mixing apples and oranges.
solenoid is offline   Reply With Quote
Old 15 Apr 2018, 06:04 PM   #25
JeremyNicoll
Essential Contributor
 
Join Date: Dec 2017
Location: Scotland
Posts: 483
Quote:
Originally Posted by TenFour View Post
For example, the survey company might choose accounts that have been active at least one year. There are many criteria that are not personal information. They might want to only survey 5% of people using a certain service level.
How long I've been a customer of a company might not be "personal information" precisely, but it's still something I'd prefer wasn't known to anyone else. Maybe competitors could target ads at users acccording to how long anyone had been a FM customer.

Also there's a difference between FM giving a focussed list of such users to the survey company (ie FM chose the users), and FM giving a list with much more info in it to the survey company and then them choosing who to contact - the scope for misuse of data is far greater in the latter case.

Quote:
Originally Posted by TenFour View Post
Online polls are notoriously unreliable.
If Fastmail can't trust their own users to answer questions that they ask them themselves (or via a suvery company having asked permission first), why would they think that a surprise poll sprung on people without permission is going to be any more reliable?
JeremyNicoll is offline   Reply With Quote
Old 15 Apr 2018, 11:14 PM   #26
walpurg
Member
 
Join Date: Nov 2014
Posts: 39
Disclosing customers' primary email addresses for the purposes of running some lousy survey seems like incredible amateur hour and something I honestly wouldn't have expected from FastMail, ever...

As is evident, quite a few customers (myself included) are very purposefully not giving this address to anyone, so for FastMail to give it to some random entity without asking permission is a violation of trust more than anything. This is not about the survey company's privacy policy, how easy it is to change the main address, etc. etc. -- the point is that an email provider should not be proactively giving out its customers' addresses without their express consent, period. (This would actually apply to our other aliases as well, not just the main address.) What the heck are they smoking over at FastMail these days? It's obvious that there are trivially easy (particularly for email pros like them) ways to not give out customers' existing email addresses for this at all (temp aliases or forwarders like customer1234_at_fastmailusersurveys.com, for example); and even if, by some dubious rationale, giving out an existing address would be deemed absolutely unavoidable, there's no legitimate excuse for not asking for customer consent first.

I thought we were paying FastMail for (among other things) never having to worry about stunts like this... The continuing slide of the company's mindset from "customer first" to "our convenience first" is troubling indeed.
walpurg is offline   Reply With Quote
Old 15 Apr 2018, 11:40 PM   #27
ferrety
Member
 
Join Date: Mar 2018
Posts: 53
Bron
That you think it ok to publicly discuss in front of the entire internet the results of 'monitoring' a private account makes me feel even more violated. You announced to the forum that my account is now being monitored but didn't ask me before divulging that. Nor did Fastmail bother to tell me that in private. I found that out reading the forum.

Spam isn't the issue anyway, you are just trying to sidetrack.

And your spiel about how busy you were is also neither here nor there. I never complained that you weren't attending to it.
I objected to you misrepresenting the situation by claiming that the CM was communicating with me when infact she had left me hanging.

So you trying to guilt me with stories about your train journey & family time & all the rest was irrelevant. And another attempt by you to switch focus away from my email address being given out.
An email I'm now scared to use as I'm being 'monitored' & the results of that monitoring is being made public by you.

Your product is good, really good. But your handling of this situation & the fact that you still don't get why it is not ok to give out email addresses is shocking.

All you have to do is not give out email addresses (save if the law/govt ask - which is different)
ferrety is offline   Reply With Quote
Old 15 Apr 2018, 11:49 PM   #28
Berenburger
The "e" in e-mail
 
Join Date: Sep 2004
Location: The Netherlands
Posts: 2,898
Quote:
Originally Posted by walpurg View Post
I thought we were paying FastMail for (among other things) never having to worry about stunts like this... The continuing slide of the company's mindset from "customer first" to "our convenience first" is troubling indeed.
The company and manage team has grown significantly in recent years. I hope they have it all in control. And a stiff conversation with Nicola is needed.

Last edited by Berenburger : 16 Apr 2018 at 01:58 AM.
Berenburger is offline   Reply With Quote
Old 15 Apr 2018, 11:59 PM   #29
ferrety
Member
 
Join Date: Mar 2018
Posts: 53
Quote:
Originally Posted by Berenburger View Post
The company and manage team has grown significantly in recent years. I hope they have it all in control. And stiff conversation with Nicola is needed.
She doesn't see that they have done anything wrong, her initial response to my saying why did you give out my primary email address (which is purposely not used except for login for security reasons) was just 'click unsubscribe'.

I had to ring Australia from England to speak to the Office of the Australian Information Commissioner. It was only when I quoted (as instructed by the OAIC) to Fastmail the relevant section of legislation that the OAIC said was breached to her that she took any notice at all. And then I was repeatedly told yes we shouldn't have contacted you without asking first. With me saying over & over the issue is giving it out in the first place not the survey contact.
ferrety is offline   Reply With Quote
Old 16 Apr 2018, 12:56 AM   #30
JeremyNicoll
Essential Contributor
 
Join Date: Dec 2017
Location: Scotland
Posts: 483
Quote:
Originally Posted by ferrety View Post
She doesn't see that they have done anything wrong.
That's deeply worrying. How can FM employ someone with so little clue?

And "Communication Manager"? Is that a sign that FM is now more worried about its public /image/ than being known & respected for its solid technical foundation?
JeremyNicoll is offline   Reply With Quote
Reply


Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

vB code is On
Smilies are On
[IMG] code is Off
HTML code is Off
Forum Jump


All times are GMT +9. The time now is 09:08 PM.

 

Copyright EmailDiscussions.com 1998-2022. All Rights Reserved. Privacy Policy