Why Did I Create This Page?
I was an early adopter of Gmail back during the beta period. I've been using it for a long, long time. As my email address started appearing on more and more spam lists, I've often wondered if I should just give it up. Eventually, Google basically made that decision for me. This account is tied to all of my Google services and has a substantial amount of history in each.
So, I just started doing what I could to keep my mailbox somewhat clean, blocking spammers and creating filtering rules, for example.
Over time, there was a slow and steady upward trend of email coming in that was obviously for someone else. The ones including the person's name are, of course, the most obvious. Then, I started noticing it was because people started signing up for services using my email address thinking it was their own.
This became very apparent because I would regularly receive password reset requests. This is people who are so convinced that my email address was their email address, they tried to initiate the forgotten password procedure.
Eventually, the stream of password reset requests was so steady and so constant, I actually changed the "Secret Question" text to an informative message asking people to knock it off. It continued. And continued. And continued. And continued some more. Over time, my Secret Question text got steadily more and more vile. Now, it is a complete and utter nastygram. It is profane and so very, very not nice. I'd be ashamed if my mother read it for sure.
Before long, the misdirected email had grown to a handful of times per week. I'd roll my eyes and usually just delete it. If it was definitely a legit, simple misdirect, I would actually reply to the person and at least give them a heads up. "Wrong email address," is about all I would say. At least someone's grandma would know they didn't get the invitation to Aunt Tilly's birthday party. I still do this today for personal emails only. Except for the "sexting" emails. For those, I figure they'd rather just think that the email went off into the ether, so I ignore them.
To make matters worse, Google's email implementation includes a really, really annoying "feature" where it strips all the dots from an email address automatically. So email@example.com is the same as firstname.lastname@example.org. I get a lot of different 'dot' incarnations of my email address as well. Yeah, that's fun to explain.
After a couple more years, the amount of misdirected email I was receiving specifically due to people not knowing their own email address became so prolific, I started filing it into a Gmail label I created just for that purpose. The "Idiots" label. That was when I started noticing more trends.
Some of the trends were simple. Like when someone obviously just started signing up for some newsletters and things. They wanted to sign up for a few things related to the same topic and did so in a short period of time. All using the wrong email address of course.
Other trends were more telling about the practices of a company. One day, the full details of someone's private info showed up in my mailbox. Name, home address, phone number, DOB, the works. Sometimes I'll even get social security numbers and more. At first, when reaching out to this companies, I was polite. I'd nicely ask if they could remove my email address from that account because Arthur or Anthony or whomever had inadvertently used my email address when they signed up. Responses were very few. And since I was now keeping track, I could see when I would continue to receive emails from a company where I had already asked to be taken off. I'd ask again. Usually nothing. Ask again, nothing. Very low success rate. For some of these, I just let it drop blocked them with a filter.
But some of these were so egregious that I basically had everything I would have needed to take over a person's financial life. I could easily have initiated the forgotten password procedure, signed into their bank account, and done whatever I wanted. I felt that if these companies were so lax that it was happening this frequently to just me, there must be bad actors out there using this to their advantage. Imagine a criminal signing up an email address, say, email@example.com, and then just waiting for the same type of email misdirection. These irresponsible companies enable this to happen with their disregard for security and privacy practices.
It grew more and more egregious and more and more offensive to me. Especially so when it's from companies we depend on to be secure. Companies you'd think we would be able to trust. Banks, credit bureaus, phone providers, you name it.
Airlines would send me someone's home address and flight info. So I knew exactly where they lived and exactly when they would NOT be home and how long they would be gone.
Many of these companies just do not care. For example, AT&T has my email address associated with no less than three people's accounts CURRENTLY. Yes, simultaneously, multiple AT&T account holders are able to have the same email address. My email address is currently associated with people named Allene, James, and Akeem. All of them in completely different locations around the country. Their account information and home addresses are included in some of these emails of course, so I can see that they aren't simply a family plan of some kind.
So, as I said, I used to be polite, and my success rate was very low. So I amped up the vitriol. A lot. For repeat offenders with particularly dangerous lapses in security and privacy, I am absolutely dreadful. I've sent out horrible emails to entire executive leadership departments just to get the attention of a human. Once I finally get someone, I will of course apologize. Here is a direct copy and paste from one of my emails after I finally made contact with a real human:
I do apologize for being such a truly epic snot rag in my message. Unfortunately it's been one of the only means with which I've been able to penetrate an organization effectively.
Of course, sometimes it goes the other way and I get such a ridiculous response that I have to continue with the snot rag treatment just to get them to act. I've got a fantastic email thread with Blizzard where I had to thoroughly browbeat them to make them understand that there was even a problem, including insulting them over the whole Real ID debacle many years ago. They seriously did not get it and they gave me a serious amount of attitude to go along with it. Fortunately, one of the other people that I reached there must've had a brain and explained it to them because they suddenly shut up and I never heard from them again nor received any more misdirected email.
Still others have responded positively. One was after a particularly difficult attempt at breaking through the apathy and bureaucracy of an offending airline. A couple of months later, I got a personal email from one of their security guys. He had been complaining about this problem for a long time and it was falling on deaf ears. But apparently I managed to get enough visibility onto the problem (after one of my executive email carpet bomb runs) that they finally took action.
My last resort, for particularly bad ones where I can't get a response, is to turn to public shaming. I turn to Twitter and call out the company, making sure to @ them, as well as using some good hashtags that they don't want associated with their name, like #PRIVACY and #FAIL. Surprisingly, it has worked a few times.
I tried it with AT&T, posting to all three big social networks. The response... crickets. They truly do not give a damn about customer security or privacy at all. My next step is going to be to give them one last chance to respond and them I'm going to log into these people's accounts and cancel them.