Thursday, August 23, 2007

Your account, whether you like it or not.

Have you ever gone to a website that you just wanted to check out, so you gave it a bogus email address? Did you ever think of what may happen if there were a real person on the other end of that email? I may be that person.

I have an email at Yahoo! that's fairly "clean," and by that I mean that it isn't 15 characters of jibberish with a 10 digit number at the end. It's a concatenation of two short words. (It's also been my user name since 1995 and a real life nickname from junior high.) Unfortunately, I've been paying for this benefit in the form of SPAM since the onset of that problem. Lately I've had a new problem, one that shouldn't be happening.

Well, perhaps it isn't new. I've had this sort of thing happen to me for years. Bogus accounts created to my email address isn't really that new. The new part of the problem is that I can't do anything about these accounts. Once they're created I can't even access them. I can't control the contact settings. I can't control whether my email is published or not. The account isn't mine and I have no way to do anything about it.

I used to be able to simply go to the site and request "my" password. Then I could login and change the email to something else. Sure, sometimes I would vandalize the account. That's the risk you run when you give an email address that you don't control nor know whether it's active. Next time don't be lazy, create your own throwaway account or just use your email address. Use an account that you know doesn't exist, it's not hard to check and see what domains aren't reserved. At the very least, don't use

Why can't I access accounts assigned to my email address? Well, first the website allows the user to put in any email address. That's standard, you can't help that. Then the website doesn't email the initial password, it's either returned on the screen or set by the user. Lastly, in order to retrieve your password you have to answer a personal question before it is emailed to you, it's often asking you to provide your date of birth.

See how that setup allows for an account to be created but the email address owner has no say in it? The truly sad part of this story is that the websites allowing this to happen aren't small shops that can't invest in a usability expert or at least some focus testing. These are established businesses, both online only and corporations that just have a web division. These are websites that have no excuse to not address this issue.

There are several steps that can be taken to avoid this.

The most obvious is to validate that the person creating the account has access to the email address they provide. This is a good practice for any registration system. If you don't validate the email address then you may as well not require it. At that point it's just useless information. If you continually email someone based on this unverified information you're sending unsolicited mail, it's unsolicited because I didn't solicit it. If the only way to stop this emailing is to log in to the system and change your options then it's unacceptable to not verify the email.

Next, you can email the user their password after it's assigned. This is good customer service, as it allows them to have a record of how to access the account. Unfortunately it's poor security, which is probably why it isn't done. If you do this, though, it will discourage the use of fake email addresses (or at least ones that may have a person on the other end) and will give the owner of the email address some recourse, even if that may be a liability to the user.

Allow the email address owner to retrieve or reset the password. Most of the concerns here mimic those above. Unfortunately if you require information provided by the person who created the account, yet the account creator provided an email they don't own, then the email owner doesn't have this information. If you're worried about security then this doesn't work, but it's not always a horrible idea otherwise.

Lastly, provide some way to opt out on the website without logging in. It's really simple to make an opt out application. You only need the email address and then to validate it. You could, at that point, require that the offending account verify their email address, change it, or disable the account. This is a good implementation merely because it will allow you to prevent further accounts from being created for an email address that has opted out.

Of course, if a system isn't in place for me to remove myself I can, and will, email customer service. That is a major annoyance, though. Beyond that, at some point I have to prove that I really own the email address by... having it verified. Otherwise anyone with minimal information could spoof an email and cause havoc.

As an aside I'd like to mention the very worst site that I've dealt with on this issue, CBS Sportsline's Fantasy Football. Someone created an account on this service early last year with my email address. I started getting weekly emails about the service, as well as other random junk. I went to the website to try to fix the situation and could not get in. I could not get the password without the account creator's date of birth. What's worse is that the website has no support contact information available without logging in. I wasn't about to provide them with another email address just to report that I didn't sign up with my other one. I tried to reply to the emails I was getting to no avail. After a month of this and another twenty frustrating minutes of searching I was able to find a support phone number. I called and spoke to a real person, who I explained the problem to. I asked him to change the email address on the account to anything else. He told me he would and I thanked him and hung up. I never stopped getting the emails.

I started marking them as spam. Every time I see a CBS Sportsline email in my inbox I mark it as spam. It's unsolicited. I told them to stop and they didn't. I can only hope that they are increasingly flagged as spam by Yahoo!'s spam filters. Really, that's the only answer that the end user has in this circumstance: Do everything you can to call attention to the issue and then declare the sender a spammer. If they don't give you a way to opt out and you've informed them that you didn't opt in then they are a spammer.


I've created this blog to attempt to convey my thoughts on what people are doing wrong in the design of software and real world objects. I'll also probably delve into people's actions and how a little effort to be more polite, think, and do the right thing would help us all live better lives.

Every day we interact with things that were designed to be pretty or cheap, or maybe they just weren't designed at all. When no thought (or too much thought) goes into how people will use something things go horribly awry.

These things really get under my skin. So much so that I believe it's worth writing about. Hopefully it will be interesting enough to be worth reading about.