
Yubico sent marketing email to address submitted for product replacement - whyagaindavid
https://utcc.utoronto.ca/~cks/space/blog/spam/AddressesLimitedPurposes
======
acdha
The HN title is misleading - it wasn’t a bug report but the Yubikey 4
replacement. The process by which it happened seems understandable: they used
their existing store to process replacements (you got a coupon code for the
same model as your old key) and notified all past customers when a major new
standard shipped.

They should have handled that better and made it clearer under which
conditions you’d get email but it’s way down the list of annoying corporate
email practices.

------
AdmiralAsshat
I've experienced similar issues with sites where someone else used my e-mail
address to sign-up for something, I purposefully _did not_ follow the
authorization URL, and the companies have flatly refused to delete my
fraudulent accounts or remove me from their mailing lists.

One in particular tried to tell me to reset the password on the account so
that I could sign in and opt-out of the mailing lists. I refused, saying that
doing so would be acknowledging the account as mine and putting the onus on me
to manage something I never signed up for. They refused to budge, despite
numerous escalations.

I swear I feel more like Hank Hill every day.

~~~
tgsovlerkhgsel
If you are using a major e-mail provider, try to mark their spam as spam
server-side.

For senders trusted by your mail provider, this may trigger feedback loops
(automatically informing the sender that their e-mail is unwanted, and usually
requiring them to act on that).

If e-mail deliverability providers (MailChimp etc.) are involved, they usually
try to either educate or fire customers who misbehave, since they don't want
to get their servers blacklisted entirely.

In general, marking as spam should increase the probability that future
e-mails from this company (or, if they're smart to separate it, at least their
marketing spam) will be correctly delivered to the spam folder or outright
rejected at delivery.

~~~
mikeash
I apparently have a somewhat common name, and so my Gmail account
first.last@gmail.com gets a fair amount of misdirected email due to idiots
with a similar address. (As best I can tell, most of them have something like
first.last42@gmail.com and forget the number.)

Good companies will require verification before sending anything else. Those I
can ignore and they’ll go away. For the others, I make a good faith effort to
unsubscribe, but a small one. They get about ten seconds for me to find the
unsubscribe link, otherwise they get reported as spam. I’ve had some which
won’t let me unsubscribe unless I log in to the corresponding account, which
of course I can’t do.

Just remember that this stuff _is_ spam. You’re not abusing a tool to your
advantage, you’re using it the way it’s supposed to be used. Spam doesn’t have
to be knockoff viagra or whatever.

~~~
bitexploder
I have a very common first.last@gmail.com (I wonder who has that literal
address? Poor person.). The things I have gotten by accident are amazing.
Highly sensitive loan applications, retirement accounts, travel documents,
even a thread for a consultant doing highly sensitive plant improvements to a
GM plant complete with access to gigs of plant info docs, process management
and other proprietary information (vehicle design things). I have no idea, but
these guys should be glad I an a benevolent entity :)

~~~
AdmiralAsshat
I'm perplexed as to how you even got first.last@gmail.com, because I'm pretty
sure Gmail disregards the dot and will send anything with your address to
firstlast@gmail.com[0].

That's actually the likely source of the confusion, as my (example) email
might be giraffe@gmail.com while the serial offender is likely
g.iraffe@gmail.com (based on the salutation in the message).

[0][http://www.businessinsider.com/why-the-dot-in-your-gmail-
add...](http://www.businessinsider.com/why-the-dot-in-your-gmail-address-
doesnt-matter)

~~~
bitexploder
Well, yeah, it is technically just firstlast@gmail.com, I am just used to the
dot :)

So, any combination of dots in there works. I have just had it since the Gmail
beta. And Insert both with and without the dot as mistaken deliveries.

------
jnxx
> Sadly I have no idea what is a viable alternative to Yubikeys, but at least
> we're not likely to buy any more any time soon.

Nitrokey: [https://www.nitrokey.com/](https://www.nitrokey.com/)

~~~
ilikepi
Adam Langley did a couple round-ups of various security keys last year. Here's
the links to each of their respect HN posts:

* [https://news.ycombinator.com/item?id=15042851](https://news.ycombinator.com/item?id=15042851)

* [https://news.ycombinator.com/item?id=15429831](https://news.ycombinator.com/item?id=15429831)

------
ilikepi
> If you are a registered user of a Yubico website and have supplied your
> email address, Yubico may occasionally send you an email to tell you about
> new features, solicit your feedback, or just keep you up to date with what’s
> going on with Yubico and our products.

If they made the author a "registered user" when he submitted his address to
the replacement program, they should make it clear that's what is happening.
Or they need to expand their TOS language a bit...

~~~
zAy0LfpBZLC8mAC
You cannot have ToS for a process you establish to correct a failure to
perform for existing contracts, in this case for exchanging a defective
product (other than what was part of the original contract).

~~~
ilikepi
Are you summarizing particular laws regarding defective product replacement?
This is not an area with which I'm really familiar.

The way you phrase it, to me, suggests that it would be impossible (in
practical terms) for a company to operate any sort of replacement program via
the net, because they'd be required to collect and process personal
information digitally, and they would be likely advised to not do so without
defining the terms under which that information would be used.

Another comment[1] suggests YubiCo implemented this replacement program by
issuing coupon codes for their store. The checkout process requires consent to
their terms.

[1]:
[https://news.ycombinator.com/item?id=17059784](https://news.ycombinator.com/item?id=17059784)

~~~
zAy0LfpBZLC8mAC
If you enter into a sales contract selling some gadget, then you are legally
required to deliver that gadget, which also means you are required to deliver
it without defects (unless those were agreed upon in the contract as
properties of the gadget to be sold). If you happen to so far only have
delivered a defective gadget, you haven't fulfilled your contractual
obligations. You cannot refuse to fulfill that contractual obligation just
because the buyer refuses to agree to additional terms that you ask them to
accept.

Details obviously depend on the jurisdiction, but the basic principle probably
applies just about anywhere.

------
xmodem
Yubico is a Swedish company, so you may want to consider filing a complaint
with the Swedish data protection authority:
[https://www.datainspektionen.se/in-english/contact-
us/](https://www.datainspektionen.se/in-english/contact-us/)

------
hadrien01
Isn't that illegal, at least in the EU and Canada?

~~~
proactivesvcs
I believe the e-Privacy directive makes it illegal in the EU:
[https://en.wikipedia.org/wiki/Privacy_and_Electronic_Communi...](https://en.wikipedia.org/wiki/Privacy_and_Electronic_Communications_Directive_2002)

------
exabrial
Marketing teams really need to be kept in check. I get it they're pressed for
results with often limited budgets and tools, but there needs to be some basic
ethics at every company. To me, this is just as bad as bundling security
updates with mandatory new features....

------
CryoLogic
Microsoft and a few other companies have done this with the email I used when
interviewing :/

------
sajal83
My policy: if email is interesting/relavent. Do nothing.

If I remember subscribing and haven't attempted to unsubscribe in the past,
attempt to unsubscribe. Spending max 10 seconds.

All other situations, hit "mark as spam"

------
rdiddly
Cute. If I had a dime for all the times this has happened to me since the
90s...

------
davesque
What's the actual risk here? I'm not seeing it.

------
js4
Take a step back and look at the system.

Venture backed companies are required to grow fast to be competitive.

They do whatever they can to achieve this goal. Complain about that, not an
individual. The individual is just trying to survive.

Sad thing is that this tactic works.

It’s likely that more people will end up buying because of this tactic then
will care about it.

~~~
mannykannot
I am not buying this excuse. It is individuals, making individual decisions,
that create the environment, and the buck stops with them. This form of
relativism can easily be extended to all sorts of fraud and corruption.

~~~
js4
> This form of relativism can easily be extended to all sorts of fraud and
> corruption.

You’re right, it can be, and it is for much of the world. Which is why you
need to get the system right.

------
ForHackernews
In the pantheon of tech company misconduct, opting users into marketing emails
when they open a support request seems pretty minor (especially if they can
easily opt-out).

This is at worst, a trivial annoyance. I don't see how we need regulation to
outlaw this behaviour.

~~~
hanbura
Sure, sending spam that I can opt out of isn't the worst thing they can do.
But if you are selling security products I expect better morals than that.
This is yubico squandering trust in exchange for sending a few more marketing
emails.

Considering legislation: I live in Germany. Over here unsolicited marketing
mail (snail mail) addressed to me is illegal. I fully support legislation that
extends the same standard to email (and I'm pretty sure yubico's behaviour is
illegal here). It's waisting my time and computing resources for somebody
else's gain (and that on a massive scale: if you waste just one minute each
from a million people, that's two full years wasted)

~~~
Xylakant
> I fully support legislation that extends the same standard to email

Has already happened. Sending unsolicited marketing via email is illegal in
Germany. For some light reading I can recommend this lawyers blog who blogs
about his lawsuits against spammers [https://www.kanzlei-
hoenig.de/search/Spam/](https://www.kanzlei-hoenig.de/search/Spam/)

A recent high profile case deciding that even marketing in auto replies
constitutes spam was this [https://www.dr-bahr.com/news/werbung-in-autoreply-
e-mails-is...](https://www.dr-bahr.com/news/werbung-in-autoreply-e-mails-ist-
spam.html) (with links to high court decisions)

An overview about under which conditions Marketing Mails are legal is here
[https://www.datenschutzbeauftragter-
info.de/fachbeitraege/ne...](https://www.datenschutzbeauftragter-
info.de/fachbeitraege/newsletter-und-datenschutz/)

You can request that the sender produces a protocol of your opt-in. That’s
usually the best route as a layperson since it demonstrates that you know your
rights, carries no risk since no accusations are leveled and is a red flag for
any lawyers on the other end. I have a link to a good sample text somewhere
but can’t find it right now.

