Has the data integrity of Motley Fool been compromised?
I received a spam today at an address used *only* for the Motley Fool mailing list (which I am no longer a member of) from an organisation claiming to be called Options Bulletin, which appears to be US-based.
Two possible scenarios spring to mind:
Motley Fool has breached European Data Protection law by selling or disseminating Personal Data to a third-party without consent, and by retaining Personal Data beyond the period authorised by the Data Subject (as I am no longer a list subscriber). If this action has occurred, this would make Motley Fool an unethical organisation no longer capable of being trusted.
Motley Fool has been haxxøred and their subscription data stolen. If this action has occurred, this would make Motley Fool unable to be trusted for failing to implement adequate data security.
Have you got any more details on the "third party" ? - TMF did start some email advertising a while ago, but they honoured the "do not send me this crap again"
Other possibilities include: * A dictionary attack * Your ISP, or a corrupt staffer, sold your email address * Motley Fool's ISP, or a corrupt staffer, sold your email address * (You don't say if it's the kind of mailing list that you post to but if so then) someone spotted the address in a posting you made once.
How about another list members PC was running a certain mail client that automatically adds each & every email address it "sees" into it's address book, then their PC was compromised and the address-book stolen by some spammers malware, sometime after you'd made a post to the list?
I have not yet had my distinct Motley Fool email address spammed, but only recently I have received emails for my Expedia and Virgin CC addresses both with similar requests to login in to a bank I don't bank with. The Expedia one has caused me no end of trouble as it wasn't long after my domain was spammed with undeliverable crap.
An email address alone, without an accompanying real name, is never personal data whether made-up or not. It only becomes personal data when it can be used to identify a specific individual.
Richard Kettlewell wrote in uk.net about: Re: Motley Fool data integrity compromised?
Possible, but I suspect rather unlikely: my tracking addresses are a combination of my initials and the organisation being tracked, ie, the resulting user part isn't a dictionary word.
Again, possible, but I suspect rather unlikely: this would require the ISP to have leaked the exact form of the tracking address used rather than the default email address from the user database (I have a subdomain with infinite possible user parts). This would imply monitoring of specific emails from or to myself, a worrying thought. Although I suppose it does remind us that the entire internet is only as trustworthy as the least trustworthy member of staff at any intermediate node that unencrypted communications may pass through :-(
Hmm, now that you mention it, that's possibly not altogether unlikely. I do get the feeling that third-party list operators (especially those based outwith the EU) acting as 'data bureaux' in operating mailing lists for commercial organisations have somewhat low ethical standards. :-(
I can't remember now whether Motley Fool operated their mailing list internally or not..
Still, iirc, as far as the DPA is concerned, the data user is responsible for the actions of the data bureau acting on their behalf, so Motley Fool would still carry the can..
Sorry, I should have pointed out: it was a one-way announcement-only list, ruling out this possibility.
Colin Wilson wrote in uk.finance about: Re: Motley Fool data integrity compromised?
Only the following.. The text of the spam appears to be promotional blurb for yet another (US) company which 'Options Bulletin' appear to have sent on their behalf.
Return-Path: [..] Received: from ph.agava.net (ph.agava.net [89.108.90.101]) by [my mailbox provider] (Postfix) with ESMTP id DC04DE6F31 Received: from localhost.localdomain (ph.agava.net [89.108.90.101]) by ph.agava.net (Postfix) with ESMTP id 0943F2BF4EA Subject: Options Bulletin Advisor: PWAC on the Rise, please read X-Mailer: MIME-tools 5.417 (Entity 5.417) Sender: "Zinester.com" Date: Fri, 13 Oct 2006 16:18:30 +0400 X-MailList-Message-ID: 109880 List-Subscribe: Errors-To: snipped-for-privacy@shadow.agava.net [..] List-Help: List-Id: Zinester.com List-Post: NO List-Owner: X-Zinester-PID: 17465324 From: Options BB To: [my email address] Reply-To: Options BB Message-Id:
But that's not good enough, though. The DPA does not permit "opt-out" lists, only "opt-in" lists. Ignorance is no defence for the Fools!
You're wrong on this. The Data Protection Act does not require you to know who the individual is before it covers them, merely that they're identifiable as a separate individual.
Don't believe me? The Office of the Information Commissioner disagrees with you too.
You want to go down to 2.2.3 specifically - I'm quoting from different bits of it in a slightly disjointed order.
Now, obviously, if you can tie the email address to a real person's name, you're on the money anyway.
In the majority of cases the ability to "identify" an individual will be achieved by knowing the name and address of an individual or by the data controller being in possession of some other information.
But there are a variety of other situations that can be covered too.
The individual must be capable of being identified from data in the possession of the data controller, or from those data and other information in the possession of, or likely to come into the possession of, the data controller.
The Commissioner recognises that an individual may be "identified" without necessarily knowing the name and address of that particular individual.
The point is that if you're able to track someone as a separate individual, you're covered by the DPA. For example, if you had a website that asked users to register - for example, so that they could log-in and customize their settings - you could well have an identifiable individual even without knowing their real name. And while they're logged in, you might well also be storing data about them, by keeping track of them using a cookie (or some similar technology).
There might merely be an intention to target that particular user with advertising, or to offer discounts when they re-visit a particular web site, on the basis of the profile built up, without any ability to locate that user in the physical world. The Commissioner takes the view that such information is, nevertheless, personal data. In the context of the on-line world the information that identifies an individual is that which uniquely locates him in that world, by distinguishing him from others.
Bottom line, you don't need to know who the individual is in the real world to be covered by the DPA. You just need to be able to separate out one user from another - and an email address that corresponds to one person can easily do that.
You're right as far as the use of email addresses by the original collector is concerned, but that's a bit off on a tangent. The original collector of the email addresses will no doubt be using them to identify individuals, whether or not they have a name attached to them or not. But, when removed from the context of a database where the addresses identify different people who use it or are logged in it, then they cease to be personal data as they then don't identify anything other than themselves.
Maybe a better way of putting it would be to say that an email address is only personal data when combined with some other identifier to which the address is attached. A real name is the most obvious type of data which will dio this, but it doesn't have to be a real name. It does, though, need to be something - and without that something, an email address is not personal data.
BeanSmart website is not affiliated with any of the manufacturers or service providers discussed here.
All logos and trade names are the property of their respective owners.