Friday, February 04, 2011

De Shopping Experience

With e-commerce set to jump out of the bag with the coming of actual broadband and 3G in India, you'd think it's safe to get out there and buy stuff online here...


It's neither safe, nor prudent to give any of these web sites too much of a chance till they start respecting privacy and/or up the security on the data that you have to give them. I've had some pretty sad experiences with spam happening from places I'd have least expected it to come.

The Setup
It all started with me getting so much spam on my old Hotmail account that I more or less stopped using it altogether. It had been relegated to that old account where I had a few subscriptions, or that I gave to any website that required registration... and my personal address? Well, that's personal... why let anyone see that at all?

Unfortunately, I found that I was getting more spam in my inbox than in my "Junk mail folder", and the spam management and amazing search functionality on Hotmail just didn't help at all (searching for the word "dentist" yielded no results despite the fact that bulk of my inbox was filled with mail with the same word in the subject). I needed another way to sort through that account - frankly, I only wanted to keep it since it's one of my first e-mail addresses and if anyone still uses it they should be able to (eventually) elicit a response from it, so once a month I check it.

I've found that the best (and easiest) way to track spam is to use your own domain with a mailbox there for every site you may have low trust issues with. It's quite convenient for companies (like com) so you remember the login details (since if you reached the website, you're bound to know what email address you've passed them). I've managed to take it to a level where it takes a matter of seconds to setup an account for someone, access it automatically with a password shared across accounts, and with limits only on the collective size of inbox, I've found I'm relatively sorted on this part. Once you're sure that they're not evil spammers, you can give them your proper e-mail address.

So there I was... I felt comfortable with this system of distributing email addresses. It confuses people and gets funny at times as well... I've been asked a few times if I work with Dell (while on the phone with support).

I'm guessing majority of the leaks start at customer care. We need to educate the call centre employees on privacy and ethics. Most of them wouldn't think twice about giving anyone their own addresses and phone numbers out and wouldn't think of it as a breach of agreement or even privacy. I don't think anyone would bother trying to hack into many of the customer databases... it's easier to hang out outside the call centre (I'm sure it wouldn't be difficult to get the location/address through the phone) and offer someone a couple of hundred rupees for all the email addresses.

To help or not to help
It's really sad where all I get spam from. Oxfam India was responsible for my receipt of mail offering to "Make it stronger. Last a lot longer." It should be good enough that I contribute to their causes in cash - why would they sell my data?

Travel issues
You want to book flight, train or bus tickets or a hotel room from/in India online? Yatra delivers quite a good experience on the actual business side... on the side business, I've received spam from LIC (which IMHO is just about acceptable seeing as it's a respected Insurance company - just the source of the email address and the option to opt out should be included in the mail). One thing I DIDN'T expect from them was to get a Facebook invite from Shalini Ahuja - you're thinking this would possibly be a bot or a very lonely person? The invite said :
Lowest Fares on www . EaseMyTrip . com Just Compare Fares Once Before Issuing Tickets Online.... Also Earn Upto Rs.50,000/Month or More by Joining EMT Franchise Network !!
Sounds like a competitor to me... does this mean all Yatra customers were sent FB invites from EaseMyTrip?

A company that wanted to sell projectors and services related to projectors has contacted me on my Yatra account. This information also seems to have reached an "offers" website, who have offered me "Resort homes" in India.

Does this mean that Yatra sells user data? Probably not - one rogue employee or someone may have given this data out. I don't get too much spam through them... a total of 4 emails that I've managed to track - it's a little bit of work. In fact, I'd spoken with some pretty senior people (at Yatra) about this and haven't received any more spam on that address.

Khojguru has managed to get my Dominos pizza email address and send me mail about it. They even included a link to allow me to unsubscribe from their list - I didn't want to click on it since this would confirm that it's an active address and allow the spammer (Khojguru) to validate this as a "good lead". The next mail I got on this address (some insurance comparison site) actually said that it was being sent from, so at least when Khojguru sends my mail address on to more spammers, they keep me in the loop.

An online auction site sent me spam at my book my show address, and were nice enough to include a coupon just above the (unused) unsubscription link.

There's an email provider here who (apparently) pays you back for using their email service and in the spam they've sent to my Dominos account (again via Khojguru), they've even mentioned a donation they've made to charity, aside from offering me great deals.

Dominos gets the prize for versatility though... from email that pays you to use it to "Compete in yacht size? Nowadays it is of no use - boost your bed energy!"

The Bad
Okay, so now the story gets a bit murky... an internet provider (Spectranet) sent my Ferns and Petals account a flyer about affordable long distance calling... heck, if an internet provider buys/obtains this data illegally, who's stopping them from sharing their customers data or even spying on the actual data that's being exchanged by users online?

My Ferns and petals account also received junk from The Economist offering me a subscription - hey at least they're keeping it classy! Or maybe not... IndusLadies sent me a newsletter, and offered to take feedback/unsubscription requests which lead to a "" url, but then ALL links do... it's almost like they're running campaigns for people who want publicity and using their customers mail addresses to send all of this crap out. Bad, bad FnP! No Froyo for you!

All of these so far are just standard sites or organisations that are either too stupid/enethical to hold my data with a degree of respect. They're not really very big on the online shopping front.

I've had so much spam at my Ngpay address it's not funny. Ngpay is a service which partners with online retailers, travel sites, gift sites, movie sites... it's an aggregator of sorts, but it's mobile! It delivers a near seamless experience (or had in the past when I used to use it), but since they have to pass on your contact details to their partners, someone or the other (read: would start sending you spam. I don't hold this against them, but would like them to try it the Google way... not pass the actual email address, but a time limited alias which could be deactivated on confirmation from the customer.

The Ugly
Shop Your World... this one actually deserves a separate post, but hey, I'm not here very often :)

I got a flyer from one of my banks telling me I could now shop on or in Indian Rupees, have the product shipped to India, and get to see the complete cost (delivery to my doorstep) upfront... they'll handle purchase, shipping, customs duty and delivery, and I get what I bought at the US price plus a bit on shipping and tax. It winds up a lot more cost effective for me to buy this way... it also winds up a lot more convenient - at one point, if you bought something from a US store and had them ship it here, they'd give you a call when it reached customs and you'd have to go pay and get it out.

Great concept! has a similar concept, but they only handle particular suppliers from the US and ONLY ebay listings. Now I can get stuff from the US or UK at a reasonable price (Services here are cheap and involve cut-throat competition, but many products are generally much more expensive here), and I don't need to have an address abroad or have anyone pick it up, or have anyone bring it down... it reaches my door for a few rupees more.

A serious shopping site is the LAST place I'd expect to get spam from... one that my BANK recommends? I registered, left my mobile number, email address, house address, "spam" mobile number; a freely distributed number, and a phone in the shopping cart. I got spam from MTV. The spam was addressed to "Dear Sunil", so they hadn't just sold the address... the name was specified as well. I managed to catch an online agent to chat with and asked if they sold information. When I was told that this was against policy (as I'd already seen on their website), I persisted and was told that they didn't. If they're not selling or distributing my data and someone else has it, there's only one other natural assumption that springs to mind... they're low on security and/or have been hacked into, and data stolen. I don't really think I want to use an e-commerce site that's been hacked into, especially with the response I got from the agent... I had the transcript emailed to me. So far no one has gotten back to me - heck, maybe they lost my data :-D

The transcript of the conversation:
info: Please wait for a site operator to respond.
info: You are now chatting with 'Aditya'
info: Your Issue ID for this chat is LTK166010377008X
Aditya: Welcome to Shop Your World
Aditya: How may I help? com: Hi Aditya, I'd registered on your site and had considered buying some things from there. I created a specific email address for your site com: I received spam on this email address yesterday com: I would like to know if you are distributing/selling my data com: because this goes against the privacy policy mentioned on your website
Aditya: We do not share our Customer's Database with any other Company com: then your system has been hacked into com: which is even more of a concern
Aditya: I will pass this Information to the IT team com: the only place this email address has ever been typed is on
Aditya: Ok com: not good enough com: I'd like you to have your management team contact me as this is a rather serious issue com: I'm just glad I didn't buy anything from you or my credit card details might have been floating around the internet as well
Aditya: Like I said, I will share this Information with the IT Team to look into the matter and check if there are any gates open for the hackers to peep into our database.
Aditya: As of now we haven't received such Complaints, but considering this is the first, we would like to do something about it and avoid such complaints in future com: if I don't get a revert from your management team in the next three days I'll blog this. com: I don't think you're getting how serious this issue is
Aditya: The Credit Card Details are not stored in our database any which way as we use a 3D secure payment gateway
Aditya: You will have to go through VISA or Mastercard verified gateway for every transaction com: I'm not going to waste any more time chatting with you. Please make sure someone contacts me about this in the next three days
Aditya: So security of your Card details shouldn't be a concern at all
info: Your chat transcript will be sent to com at the end of your chat. com: selling the data would be enough of an issue - I got spam from with the subject MTV GANG NEXT 2.0 Auditions, which would suggest you've sold my information to an MTV affiliate. com: the mail was sent from a Tata Teleservices internet account com: was the IP
Aditya: We will have this checked com: please have whoever contacts me at the given mail address provide a contact number com: I will call back
Aditya: I have passed on the Information to the concern team
Aditya: We have your contact details registered with this Email ID com: now you're getting my point - I've given you more details than I'd typically give to an untrusted site. So you can have them call me on my mobile.
Aditya: Sure
Aditya: You should get a call within 24 - 48 hours com: thanks
Aditya: Cheers!
It's been a week and a day... should have been enough time for them to get back to me... they haven't. Maybe HDFC (and ICICI) should consider security of their partner sites - the sites themselves don't seem to care too much.