Hacker News new | past | comments | ask | show | jobs | submit login
Yubico sent marketing email to address submitted for product replacement (utcc.utoronto.ca)
137 points by whyagaindavid on May 13, 2018 | hide | past | favorite | 65 comments



The HN title is misleading - it wasn’t a bug report but the Yubikey 4 replacement. The process by which it happened seems understandable: they used their existing store to process replacements (you got a coupon code for the same model as your old key) and notified all past customers when a major new standard shipped.

They should have handled that better and made it clearer under which conditions you’d get email but it’s way down the list of annoying corporate email practices.


I've experienced similar issues with sites where someone else used my e-mail address to sign-up for something, I purposefully did not follow the authorization URL, and the companies have flatly refused to delete my fraudulent accounts or remove me from their mailing lists.

One in particular tried to tell me to reset the password on the account so that I could sign in and opt-out of the mailing lists. I refused, saying that doing so would be acknowledging the account as mine and putting the onus on me to manage something I never signed up for. They refused to budge, despite numerous escalations.

I swear I feel more like Hank Hill every day.


If you are using a major e-mail provider, try to mark their spam as spam server-side.

For senders trusted by your mail provider, this may trigger feedback loops (automatically informing the sender that their e-mail is unwanted, and usually requiring them to act on that).

If e-mail deliverability providers (MailChimp etc.) are involved, they usually try to either educate or fire customers who misbehave, since they don't want to get their servers blacklisted entirely.

In general, marking as spam should increase the probability that future e-mails from this company (or, if they're smart to separate it, at least their marketing spam) will be correctly delivered to the spam folder or outright rejected at delivery.


I apparently have a somewhat common name, and so my Gmail account first.last@gmail.com gets a fair amount of misdirected email due to idiots with a similar address. (As best I can tell, most of them have something like first.last42@gmail.com and forget the number.)

Good companies will require verification before sending anything else. Those I can ignore and they’ll go away. For the others, I make a good faith effort to unsubscribe, but a small one. They get about ten seconds for me to find the unsubscribe link, otherwise they get reported as spam. I’ve had some which won’t let me unsubscribe unless I log in to the corresponding account, which of course I can’t do.

Just remember that this stuff is spam. You’re not abusing a tool to your advantage, you’re using it the way it’s supposed to be used. Spam doesn’t have to be knockoff viagra or whatever.


> For the others, I make a good faith effort to unsubscribe, but a small one. They get about ten seconds for me to find the unsubscribe link, otherwise they get reported as spam.

I do not have any more the patience for that. If I am actually a customer of the company, I might use the unsubscribe link. If not, in my email program (claws-mail) it is two clicks to automatically delete all mails from that address. I get regularly mails from spammy recruiters who obviously scrape CVs and belong in this category. To not waste bandwidth, I put black-listed addresses also into a blacklist which is used on the server side by mail email provider. It would be neat if email clients did support that feature.

Also, there are definitely large organisations which when you unsubscribe from their list, they will simply send spam from dozens of other mail addresses. IEEE is the worst I've seen.


I'm in the same boat. People have used my gmail address when opening bank accounts, buying cars and even buying apartments! It has an upside though. If you try to map my email address to a real identity you get a great many "verified" wrong answers.


I have a very common first.last@gmail.com (I wonder who has that literal address? Poor person.). The things I have gotten by accident are amazing. Highly sensitive loan applications, retirement accounts, travel documents, even a thread for a consultant doing highly sensitive plant improvements to a GM plant complete with access to gigs of plant info docs, process management and other proprietary information (vehicle design things). I have no idea, but these guys should be glad I an a benevolent entity :)


I'm perplexed as to how you even got first.last@gmail.com, because I'm pretty sure Gmail disregards the dot and will send anything with your address to firstlast@gmail.com[0].

That's actually the likely source of the confusion, as my (example) email might be giraffe@gmail.com while the serial offender is likely g.iraffe@gmail.com (based on the salutation in the message).

[0]http://www.businessinsider.com/why-the-dot-in-your-gmail-add...


Well, yeah, it is technically just firstlast@gmail.com, I am just used to the dot :)

So, any combination of dots in there works. I have just had it since the Gmail beta. And Insert both with and without the dot as mistaken deliveries.


> If e-mail deliverability providers (MailChimp etc.) are involved, they usually try to either educate or fire customers who misbehave, since they don't want to get their servers blacklisted entirely.

Since "My experience with Mailchimp was decidedly not like that" seems to be attracting downvotes, I'll expand on that. Mailchimp is opt out. So when I found myself on the receiving end of some local dog botique's spam (I don't have any pets, dogs or otherwise) list that was being serviced by Mailchimp I got to go through the tedious process of opting out.

Getting off of the spam list required tracking down contact info on LinkedIn and spamming the spammers. As long as companies like Mailchimp provide opt-out instead of opt-in services, it is Mailchimp and their brethren that are the bad actors. Mailchimp and Marketo have earned a spot on my smtpd_sender_restrictions blacklist.


> If e-mail deliverability providers (MailChimp etc.) are involved, they usually try to either educate or fire customers who misbehave, since they don't want to get their servers blacklisted entirely.

My experience with Mailchimp was decidedly not like that.


Were you buying Mailchimp services? It would be interesting to hear from Mailchimp customers how enthusiastic Mailchimp is at handling spam complaints.


> Were you buying Mailchimp services?

No, I was the service.


I registered my own domain and switched my email over to a service that lets me generate arbitrary email aliases. When I go to a site or have to otherwise give an email address, I create a new unique alias just for that service. This lets me track where they are leaking my email to, and lets me blackhole the whole site if needed.

It’s great.


I've been doing a similar thing for year with the gmail feature that lets you add "+anything" to the end of your email address. If someone starts spamming myrealemail+thethingIusedforthatsite@gmail.com, it's easy to create a filter to trash it automatically.

I've tried the catchall method on a domain I control, but got way too much spam people trying random addresses.


I have first@last.io. My mail provider (fast mail) supports sending mail to service@first.last.io. This then ends up in a folder called service, or in my inbox.

Works pretty great.


I'd imagine your average spam list purchaser removes the + stuff on Gmail addresses.


So blacklist everything coming in without a +


Sure, if you never gave any friends/family the non-+ version.


And all websites accepted emails with "+" in them (hint: your email validation regex sucks and is not standard compliant).


If a site has broken email validation and I absolutely positively NEED to use it, then I'll grudgingly create an explicit alias just for that site. Otherwise, I find a competitor that doesn't screw this up. In both cases, I end up passively-aggressively tweeting about the company's email validation, though.


I’ve done each of these things and they work great.

1. Go up the chain. Email the head of technology and head of marketing for the company. Tell them that what they are doing is unacceptable.

2. Look up the email service provider. Find their abuse address. Bring it up with them directly.

3. Mark as spam. I give companies one chance to get it right after I unsubscribe. If I keep getting emails I start to mark as spam. If I still get emails I escalate to #1 or #2


Might be worth filing a CAN SPAM ACT report.


Liked for the last line. Getting old is funny.


> Sadly I have no idea what is a viable alternative to Yubikeys, but at least we're not likely to buy any more any time soon.

Nitrokey: https://www.nitrokey.com/


Adam Langley did a couple round-ups of various security keys last year. Here's the links to each of their respect HN posts:

* https://news.ycombinator.com/item?id=15042851

* https://news.ycombinator.com/item?id=15429831


My preferred one is Vasco, also working on ios. I wrote a comparison a while ago:

https://medium.com/@0x0ece/googles-advanced-protection-progr...

On a related note, has anyone already tested a FIDO2 key? I'm looking to buy one, but still can't find any, including developer previews.


If you got a Ledger Nano you can use that as well in some circumstances. Likely the same counts for other Bitcoin hardware wallets.


Also check out U2F Zero

https://www.u2fzero.com/


[flagged]


`>` is used to denote a quote and it's been that way for decades at least.

The article was asking for alternatives. Then jnxx responded with an alternative.

This chain of interactions was perfectly reasonable until you showed up and started accusing people without even a shred of evidence.

They only have 8 comments, you can read through all of them in the span of a minute. The only one that seems to be on one of their own projects is a link to this: https://gitlab.com/jnxx/check-trustpaths


I don't think you're making the objectively logical conclusion that you think you're making. GP quoted the linked post.


How do you link jnxx to nitrokey?


> If you are a registered user of a Yubico website and have supplied your email address, Yubico may occasionally send you an email to tell you about new features, solicit your feedback, or just keep you up to date with what’s going on with Yubico and our products.

If they made the author a "registered user" when he submitted his address to the replacement program, they should make it clear that's what is happening. Or they need to expand their TOS language a bit...


You cannot have ToS for a process you establish to correct a failure to perform for existing contracts, in this case for exchanging a defective product (other than what was part of the original contract).


Are you summarizing particular laws regarding defective product replacement? This is not an area with which I'm really familiar.

The way you phrase it, to me, suggests that it would be impossible (in practical terms) for a company to operate any sort of replacement program via the net, because they'd be required to collect and process personal information digitally, and they would be likely advised to not do so without defining the terms under which that information would be used.

Another comment[1] suggests YubiCo implemented this replacement program by issuing coupon codes for their store. The checkout process requires consent to their terms.

[1]: https://news.ycombinator.com/item?id=17059784


If you enter into a sales contract selling some gadget, then you are legally required to deliver that gadget, which also means you are required to deliver it without defects (unless those were agreed upon in the contract as properties of the gadget to be sold). If you happen to so far only have delivered a defective gadget, you haven't fulfilled your contractual obligations. You cannot refuse to fulfill that contractual obligation just because the buyer refuses to agree to additional terms that you ask them to accept.

Details obviously depend on the jurisdiction, but the basic principle probably applies just about anywhere.


> because they'd be required to collect and process personal information digitally, and they would be likely advised to not do so without defining the terms under which that information would be used.

That's absurd. First, they should only collect the information they need to provide a replacement product. Second, they should only use that information to provide a replacement product. That would be the right thing to do, regardless of how anti-consumer the laws in whatever countries are.

> The checkout process requires consent to their terms.

You can't arbitrarily weaken people's rights via terms in most civilized countries. So if that was the only way to get a replacement, I don't think it'd be too difficult to make a case that the terms are null and void. Certainly in Germany, additional terms such as EULAs are invalid if presented after the purchase.

---

However, while the store might have been the most convenient way to get a replacement, I don't know if it was the only way. If they made it clear in the email that there were other ways to get a replacement, well then it's still a shitty move by marketing and ethically questionable, but probably legally okay.


Yubico is a Swedish company, so you may want to consider filing a complaint with the Swedish data protection authority: https://www.datainspektionen.se/in-english/contact-us/


Isn't that illegal, at least in the EU and Canada?


I believe the e-Privacy directive makes it illegal in the EU: https://en.wikipedia.org/wiki/Privacy_and_Electronic_Communi...


I'm fairly confident it will be illegal starting May 25th.


Marketing teams really need to be kept in check. I get it they're pressed for results with often limited budgets and tools, but there needs to be some basic ethics at every company. To me, this is just as bad as bundling security updates with mandatory new features....


Microsoft and a few other companies have done this with the email I used when interviewing :/


My policy: if email is interesting/relavent. Do nothing.

If I remember subscribing and haven't attempted to unsubscribe in the past, attempt to unsubscribe. Spending max 10 seconds.

All other situations, hit "mark as spam"


Cute. If I had a dime for all the times this has happened to me since the 90s...


What's the actual risk here? I'm not seeing it.


Take a step back and look at the system.

Venture backed companies are required to grow fast to be competitive.

They do whatever they can to achieve this goal. Complain about that, not an individual. The individual is just trying to survive.

Sad thing is that this tactic works.

It’s likely that more people will end up buying because of this tactic then will care about it.


I am not buying this excuse. It is individuals, making individual decisions, that create the environment, and the buck stops with them. This form of relativism can easily be extended to all sorts of fraud and corruption.


> This form of relativism can easily be extended to all sorts of fraud and corruption.

You’re right, it can be, and it is for much of the world. Which is why you need to get the system right.


No one is being forced to let their start-ups be dictated by venture capitalists. Everyone is responsible for their own actions.


Are you so sure?

The cost of not having resources is not surviving.

Name a big tech company that you could work for that didn’t take on venture funding.


In the pantheon of tech company misconduct, opting users into marketing emails when they open a support request seems pretty minor (especially if they can easily opt-out).

This is at worst, a trivial annoyance. I don't see how we need regulation to outlaw this behaviour.


Sure, sending spam that I can opt out of isn't the worst thing they can do. But if you are selling security products I expect better morals than that. This is yubico squandering trust in exchange for sending a few more marketing emails.

Considering legislation: I live in Germany. Over here unsolicited marketing mail (snail mail) addressed to me is illegal. I fully support legislation that extends the same standard to email (and I'm pretty sure yubico's behaviour is illegal here). It's waisting my time and computing resources for somebody else's gain (and that on a massive scale: if you waste just one minute each from a million people, that's two full years wasted)


> I fully support legislation that extends the same standard to email

Has already happened. Sending unsolicited marketing via email is illegal in Germany. For some light reading I can recommend this lawyers blog who blogs about his lawsuits against spammers https://www.kanzlei-hoenig.de/search/Spam/

A recent high profile case deciding that even marketing in auto replies constitutes spam was this https://www.dr-bahr.com/news/werbung-in-autoreply-e-mails-is... (with links to high court decisions)

An overview about under which conditions Marketing Mails are legal is here https://www.datenschutzbeauftragter-info.de/fachbeitraege/ne...

You can request that the sender produces a protocol of your opt-in. That’s usually the best route as a layperson since it demonstrates that you know your rights, carries no risk since no accusations are leveled and is a red flag for any lawyers on the other end. I have a link to a good sample text somewhere but can’t find it right now.


Well, it’s says a lot about their company values though. That you can take and extrapolate on anything else they might do or not do


this says nothing about the company values; a person made the wrong decision. you’re blowing it up in a fantastical way, like the author of the editorial.

i don’t make purposeful email addresses; i don’t have time for that.


> a person made the wrong decision

…during the course of that person's work duties, for which the company, therefore, owns responsibility. Literally every single thing any company has ever done wrong boils down to "a person made the wrong decision."

> i don’t make purposeful email addresses; i don’t have time for that.

Yes, but security and privacy researchers make time for this specifically to validate whether companies follow their own privacy and usage terms as well as to quantify and gauge the risks in interacting with a company, such as the risk that the company will misuse that information or the risk that the company may be breached, resulting in user account details being used in attacks against the individual users themselves.

It's fine if you don't do any of this or, for that matter, if you don't even care. But don't belittle the work when you don't understand the reasons for it.


> It's fine if you don't do any of this or, for that matter, if you don't even care. But don't belittle the work when you don't understand the reasons for it.

Maybe don't over invest your emotions in something that isn't really important in the scheme of life? shrug. I don't think this is belittlement, but advice on how to manage stress.


> a person made the wrong decision.

Even if that were true, they doubled down on their decision:

"Hi Chris, Thanks for reaching out. We've removed you from our email list."

That is not acknowledging they made a wrong decision here, it's an attempt to re-frame what they did as as simple opt-in/opt-out mailing list business.

It's not that hard either: "This shouldn't have happened. We're looking into it. We're sorry (and here's cake for your trouble)." Not this "I'm sorry you feel sad because I ran over your cat (but not for running it over)".


> "I'm sorry you feel sad because I ran over your cat (but not for running it over)".

Hyperbole much? How about "sorry I called you during dinner"?


>time for that.

I wish you good luck :) I, like many other people in this community, make sure everywhere I register I use a unique username/email. It is also safer as to have a different email for each service. This way I know which * sells my data left-right-and-center.

As for the Company Values, these are the ones _practiced_ by its people. No point having an adamant privacy policy if your staff actually disregards them.


> i don’t make purposeful email addresses; i don’t have time for that.

It takes zero effort with gmail and a number of similar platforms. e.g. for gmail and hotmail just put a +something after your username:

foobar+yubikey@gmail.com

You don't even have to prepare it advance, just do it when you're signing up to a site and it'll happen automatically.


It's again like the social media issue. Lot of people don't care doesn't make it right thing to do. These type of things should be opt-in.


On the later subject: I have a catch-all on a subdomain, so I do that on a regular basis with zero time effort (amortized). Just enter "${websitename}@antispam.[...].com" during registration. I'm actually surprised that only a handful of these addresses receive spam; but misconduct as described here never happened to me.

(Website and service operators claiming they were not pwned, however, is pretty usual).


> i don’t make purposeful email addresses; i don’t have time for that.

I do, because I can make them automatically. With Fastmail, if your address is name@fastmail.com you can make an email somerandomcompany@name.fastmail.com and it will automatically make it to your inbox. Fast, convenient and zero effort.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: