More on Alastair Rumpell’s response to my privacy concerns about his new email monitoring service, didtheyreadit. (Here’s the first one.)
I wondered how the email addresses harvested by Rampell would be used (These would include all emails sent from and to recipients via the service since as far as I can understand it didtheyreadit, unlike MSGTAG, would work via tagging the email address, not the email itself. This would involve collecting the email address of sender and recipient). Alastair’s response: “We don’t harvest any e-mail addresses—I wasn’t sure to which e-mail addresses you are referring. We can send you e-mails to the account you register with, but we also allow you to opt-out at any time. We do not send any commercial e-mail or e-mail for any other companies to our customer list.” That’s not quite the complete denial I was looking for, but perhaps I wasn’t specific enough in my original post.
Another question I raised: How will Rampell prevent this service being used by spammers and other mass-mail marketers? Alastair’s response:
“We limit you to 750 messages per month. Very few individuals will ever exceed this number…whereas all mass-mail marketers would.” Fair enough.
Although Alastair takes pains to address my general privacy concerns, however, I’m not sure I can agree with his arguments. He candidly writes, “I had a discussion with somebody last week who was offended and repulsed by the idea of our service; the reason why is because a criminal could use our service to tell if somebody was at home. (Although she recognized that a telephone call could be used for the same purpose).” I can agree with that: Privacy is a long tunnel that can suck you in if you’re not careful — where everything is a threat — but while I don’t think didtheyreadit and MSGTAG represent threats to one’s physical safety, there are still some serious issues out there.
Alastair, for example says in response to my question “Why is the service invisible by default?” (In other words, why is there no default notice in the email informing the recipient the email they are reading is being tracked). Alastair’s response: “I believe it is what the market demands.” He later goes on: “We are planning on doing a free version (like msgtag) that automatically places the disclosure there, as it is a form of marketing. In
our initial tests, though, people who were trying the service were very concerned about having it disclosed to the recipients that the messages were being tracked.” I think that pretty much defines the problem. If someone sends a message to someone but doesn’t want them to know they know their message is being monitored, you’ve pretty much got yourself trapped in a privacy quagmire. If I do something to know something about you, but I don’t want you to know I am doing something to know something about you, then I would submit that as a default definition of snooping, or invasion of privacy.
What’s more, what kind of user would want to monitor their sent emails so invisibly? It’s hard to imagine they’re sending something to Aunt June or their son Bobcat. Given the other elements of didtheyreadit — monitoring exactly when, how long, where and how many times an email has been read — I’d say a consumer who demands the service be invisible may not be the kind of customer you’d be proud of having. What’s more, Alastair’s response to the issue of informing the recipient the email is being tracked is a rather strange one, in my view: Including a message informing the recipient might deter customers. “Even if it is an option,” he writes, ”it will confuse a good deal of people who might avoid using our service as a result.” I can hardly agree with that. Including an option to address a serious privacy issue is only likely to deter folk who aren’t great respecters of privacy.
I had some other issues with Alastair’s company, not least because it sells products that inhabit a grey privacy area. They include a keyboard logger called Spector, and ViewRemote (“record everything that happens on your computer and watch it from any other computer in the world!”). Alastair’s response: “I realize that some of our other products are often considered invasions of privacy. However, we take great pains to make sure that the products (ViewRemote and Spector) are only used by authorized people. For example, you cannot install ViewRemote or Spector without entering your computer’s administrative password—so it can’t be installed without your permission. Installing Spector or ViewRemote on somebody else’s computer is not only a gross violation of privacy—but it’s also illegal. I feel that this is immoral and unethical, and thus we do not support it. But “spying” on your own computer, for lack of a better word, is sometimes necessary. Our products have been used to catch an employee stealing, identifying a pedophile, etc.”
I’m sure there are legitimate uses of such programs. But it leaves an uncomfortable taste that the company whose main products are what I would call stealth software is now selling a service that invisibly and remotely monitors the fate of emails. Alastair, who says his academic background is on the other side of privacy, via cryptography research, is at least discussing the issues, which is a good sign. But I am not sure I agree with him when he concludes that ”I believe that DidTheyReadIt is relatively harmless. Yes, you can use it to catch somebody in a lie…but there are a wealth of legitimate purposes that give the sender more information (such as if the message was even received) without necessarily infringing upon the privacy of the recipient.”
My response: Yes, in the midst of spam’s deluge there’s definitely a legitimate market here for checking whether your email got to where it was supposed to go safely. But it shouldn’t be necessary to go beyond that, to check about aspects of its fate that should really be the private property of the recipient: How long the message was read, where it was opened, whether it was forwarded to others. Furthermore, didtheyreadit (and MSGTAG) need to address the issue of allowing the recipient to easily and definitively opt out of having the emails they receive tagged by such services; if possible, before the first email they receive from either service. If such companies don’t address these issues before they get successful, they may find themselves caught up the full glare of privacy advocates, and end up destroying what is in essence a useful and benign service.