Scrupuli

On December 2, 2010, I received an ad sheet by e-mail. The ads offer white papers at the cost of providing my industry, company size, and complete identifying information. Judging from the title—This Week’s Best IT Re:Sources—it is apparently the premier issue of a weekly mailing.

The mailing used the SourceForge name and logo, and SourceForge admit sending it. It was accomplished using third party service bureaus.

The advertisers who underwrote the mailing were: Dell, Hewlett-Packard, IBM, and Intel.

Based on SourceForge’s privacy policy, I believe I should have only received the mailing if I had first requested it, selected it, or been offered a choice about it. I also believe they should not have used service bureaus to accomplish the mailing, and I do not believe they used trustworthy service bureaus.

About The Mailing

I had only opted to receive the sitewide SourceForge “Site Update Email Alert”, a.k.a. SourceForge.net Update, a monthly newsletter which carries their security notices and other site related announcements, and no others except notifications of comments on a few individual bug reports. Up to now, I had only received these e-mails. And SourceForge’s media kit does not mention This Week’s Best IT Re:Sources, or offer any kind of mass mailings other than short four-line snippets in their newsletters. This Week’s Best IT Re:Sources has not been mentioned anywhere as a new advertising program that I can find. These facts suggested that somebody else sent the mailing.

Also, SourceForge has an in-house system which it uses to distribute its newsletters, but this mailing used an outside system. This fact also suggested that somebody else sent the mailing.

But the ad sheet was addressed to a unique e-mail address which I disclosed in confidence only to SourceForge and Gravatar. This fact suggested either that SourceForge did send the mailing, or that spammers stole my personally identifiable information from SourceForge or Gravatar.

Because either possibility raises a serious issue, I filed a private trouble ticket with SourceForge support.

Today SourceForge admitted to me that they sent the mailing.

About The Privacy Policy

The serious issue, then, is this. I believe SourceForge broke trust with me, twice:

1. They promise that personally identifiable information will only be used with permission. In their privacy statement, they say they may use the information for various good purposes. Especially relevant to this issue, they may use it

• to notify user referrals of Geeknet services, information, or products when a user requests that Geeknet send such information to referrals

and

• to allow the user to purchase products, access services, or otherwise engage in activities the user selects

and they promise that they

• will not use or share the personally identifiable information provided to it online in ways unrelated to the items described above without first letting a user know and offering the user a choice. (Emphasis added.)

2. They promise only to share personally identifiable information with a third party in a manner consistent with the privacy policy, or when obligated by law. That is, when they have

• a user’s permission,

or when they use a third party service bureau

• prohibited from using users’ information for any other purpose

and who will

• comply with Geeknet privacy practices, and other appropriate confidentiality and security measures,

or

• as required by legal obligations.

They say that when using a service bureau they will still keep all the promises made in the privacy statement.

The mailing has links to elabs10.com and emailengine.com for mailing list management, and sourceforge.com and then to accelacomm.com for fulfillment. With Google Search I found that elabs10.com appears on some lists of domains blacklisted for spamming, and that accelacomm.com appears on a list of domains blacklisted for phishing.

Damage Control

In the mailing, they did appear to honor the part of their privacy policy which says they will provide instructions in each of its emails on how to be removed from any lists.

SourceForge have also apologized to me and said, The team has received feedback on this issue, and are working to ensure to make the purpose of these messages more clear in the future and that these messages are only sent to those that want them. This might be corporatespeak for, The people who broke the privacy policy have been properly spanked.

I hope so.

Citations

“GeekNet, Inc. United States/European Union Safe Harbor Privacy Statement.” SourceForge. GeekNet, Inc., n.d. Web. 3 Dec 2010.