Überspringen zu Hauptinhalt

How a Security Company (mis)handles Privacy – The iThemes Security / Liquidweb.com Case

Trying to push sales with games and prices is a win-win for both the customer and the company. Usually. And it makes perfect sense to combine the price with some sort of privileges granted from the end user to the company offering the contest. Such as using the email for marketing or using the address for mailings. Current privacy legislature makes it clear how these situations are to be handled and there are strict rules in place to be followed. Seemingly not all companies know this. Especially a security related plugin developer named iThemes Security. What happened?

No double-opt-in no consent for Marketing-Mails

It is not allowed to send marketing mails of whatever type to someone who has not clearly given their consent to receive them. This i regulated in all recent major privacy legislatures. And one would expect that a security focused company such as Liquidweb who stands behind the iThemes Security plugin would know. But the either don’t know or they ignore. Permission can be given by merely two ways: implied or expressed:

  • Implied permission describes those with whom you have an existing business relationship. This could be because they are a current customer, donate to your charity, or are an active member of your website, club, or community.
  • If you don’t have implied permission to email a person, then you’ll need express permission. Express permission is granted when someone specifically gives you permission to send them email campaigns, potentially by entering their email address in a subscribption-form on your website or entering their details into your in-store newsletter subscribe form.

Wheel of Misfortune

Back in December 2020 iThemes offered a nice wheel of fortune to promote their holiday sales. You could win coupon codes and freebies ranging from 25% – a merely 80% off. Nice! All you had to do was to enter your mail address, and you were good to go. One would expect that this is just to make sure the coupon code is personalized and only valid for this email address to prevent people from entering the contest multiple times. But this was not the case.

A were generic code to rule them all

All codes you could win were generic. There was no personalization and therefore no real reason to require the email in the first place. What do they need it for then? I got a glimpse of what might happen to the data acquired by this contest. But I refused to believe as there was neither a double opt-in as required legally nor was there any hint on what the data you entered might be used for. See the following screenshot as proof. Nothing being told. The only reason given is to prevent multiple use of the fortune wheel.

Click for a larger version

Digging deeper makes it worse

Well when really going in to the privacy policy provided there is some information. But it is nothing near to be fully qualified. As the TOS of the contest should be linked clearly with the contest itself. Just for completeness. They mention that that can use the data provided. Of course this section gives them full-fledged freedom to use whatever they get hands on. But this is also hand-on illegal without proper use of double opt-in. I could have entered hundreds of mail addresses from anyone without their consent, and they would be now flooded with spam mails from iThemes Security.

Spam from a security company is a dead end

SO what they did is just to use all the collected data as expressed in their privacy policy linked in the image above. This is horrible and a clear violation of rules. This is something no one would expect a security focused company to do. I hate that, and I hope this story will unfold even further. Liquidweb should be shamed of this practice. And I would never consider buying their products in the near future and without them giving a statement on how they changed their practices.

Dieser Beitrag hat 0 Kommentare

Schreibe einen Kommentar

Deine E-Mail-Adresse wird nicht veröffentlicht. Erforderliche Felder sind mit * markiert.