Opting In to Privacy Problems

by Brian McWilliams, author of Spam Kings

In their quest for deals on everything from prescription drugs to mortgages and pornography, many internet users may be putting their privacy at serious risk.

Data brokers who cater to spammers are currently buying and selling private information on millions of people, including their home address, telephone number, date of birth, internet protocol (IP) address, and prescription history.

What's more, one list brokerage has been giving away to spammers, at no charge, hundreds of thousands of such personal records to promote its service.

Among the dozens of free, sample databases at this spam list-broker's site was a spreadsheet with data on 31,000 people who had shopped at online pharmacies. In addition to full customer contact details, the spreadsheet listed the prescription drugs each customer had ordered--medications ranging from HIV treatments to antidepressants and painkillers.

The spam list-broker also made available for free download a spreadsheet containing home, phone, and email contact information on 250,000 people, including employees from State Farm Insurance, the U.S. Army, the U.S. Marine Corps, and the Texas State Government.

Out of courtesy to the individuals listed, O'Reilly Network is withholding the address of the spam list-broker's website. Representatives of Canaca-Com, Inc., the Canadian firm that hosts the site, did not respond to interview requests. Officials at Big Pipe Inc. the upstream network provider for Canaca-Com, had no immediate comment on the site. Big Pipe is a subsidiary of Canadian cable provider Shaw Communications.

A screen shot showing part of the site's home page is available here.

While information brokers have been selling email lists to spammers for years, their data-collecting habits have expanded since CAN-SPAM went into effect in 2004. The U.S. law governing junk email prohibits the harvesting of email addresses from web pages and newsgroups, as well as the practice of automatically generating addresses with software.

As a result, many list brokers are now cutting deals with e-commerce sites and internet marketing firms for data that includes home addresses, phone numbers, and an IP address corresponding to each list entry as evidence that the customer data was voluntarily provided by visitors to an online store or other web site.

Armed with proof that their lists contain only "opt in" addresses, some spammers are able to buy permission from large internet service providers to email their subscribers. As long as subscriber complaints stay below a set threshold, the spammer can remain on the ISP's white list.

However, the availability of confidential data at one spam list-broker's site suggests that some list brokers and web sites are playing fast and loose with the privacy of internet shoppers.

DirectMeds, an online pharmacy that apparently provides customer data to the spam list-broker's site, has no formal privacy policy. (The "advice" page of one of DirectMeds' sites, archived here, merely assures shoppers that their information "will remain strictly confidential.")

A 2004 study by the Privacy Rights Clearinghouse found a similar lack of privacy policies at many online pharmacies. Research director Tena Friery says internet drugstores in the United States are required to comply with federal health privacy protection rules only if they accept payment via third-party insurance companies. Many online apothecaries therefore are free to sell customer data, and aren't even obligated to publish a privacy policy, according to Friery.

The spam list-broker's site illustrates the slippery definition of opt-in email marketing on the internet. Most reputable companies will broadcast email ads only to internet users who explicitly grant permission. In addition, such firms do not sell or otherwise share their lists with marketers without obtaining prior approval from recipients.

Related Reading

Spam Kings
The Real Story behind the High-Rolling Hucksters Pushing Porn, Pills, and %*@)# Enlargements
By Brian McWilliams

Many spammers, however, use the term opt-in simply to describe lists of internet users who have previously purchased something via spam or who have shopped at an online store with lax privacy policies.

Free data samples at the spam list-broker's site included personal information excerpted from a database of millions of internet users who visited the sweepstakes site. According to a privacy policy published by California-based BlueStreamMedia, which operates, the company shares data only with partners that publish and adhere to "strict privacy principles regarding the use of such information."

Also freely available for download were samples taken from lists of nearly 3 million individuals who had applied for financial services such as mortgage quotes and credit cards. One free database included full contact data, along with dates of birth, sampled from a list of 500,000 people who had provided personal information to (ECreditFinders' privacy policy states that the company reserves the right to sell customer data to third parties without permission.)

With their vast collections of sensitive personal details, email list brokers represent a good starting point for identity thieves. Yet the spam list-broker's pricing reveals just how much of a commodity personal data has become on the internet. The company sells its lists for between $15 and $1,350 per 1 million records--a fraction of a penny per name.

Other list giveaways from the spam list-broker adds fuel to the fire over employees who surf porn sites from work. One free sample contained 1,500 entries from a complete list of 2.5 million records apparently gathered from pornography web sites. Email addresses and IP addresses in the file indicated visits from employees of Ford Motor Company, CBS News, Delta Airlines, Cigna Insurance, and Sun Microsystems.

While the spam list-broker shows little concern for the privacy of people on its lists, the site's operators are careful to keep their own personal details well hidden. The site contains no contact information other than an AOL Instant Messenger address, and its domain registration data has been shielded by the domain registrar.

Last September, the spam list-broker touted its lists in a message board posting at the spammer marketplace. The posting counseled would-be list buyers, "The days of trusting nameless people through IRC and forums is over. Don't put your faith in people you don't know."

That's sound advice, too, for internet shoppers--especially those tempted to buy from spammers.

Editor's note: As of March 18, 2005,, the ISP that was hosting the spam list-broker's site, has suspended the account. However, the site's operators have already found a new home for their files.

Brian McWilliams is the author of Spam Kings and is an investigative journalist who has covered business and technology for web magazines including Wired News and Salon, as well as the Washington Post and PC World, Computerworld, and Inc. magazines.

Return to the O'Reilly Network.