If you’re a Naked Security reader, you’ve probably heard of Ghostery.
Even if you don’t use it yourself, you’re likely to have seen it mentioned, almost certainly positively, in comments by other readers.
In its own voice, “Ghostery is a browser extension that helps you to manage website trackers for a cleaner, faster, safer experience.”
Ghostery’s German owner, Cliqz – itself part-owned by Mozilla – makes a Firefox-based browser called (you may have guessed this already) Cliqz, “the no-compromise browser” that “gives you relevant search results and does not leak your private data.”
You therefore probably wouldn’t expect Ghostery, of all people, to be carried away by the recent GDPR messaging frenzy sweeping Europe.
We’re assuming that our American friends felt the fringe of the GDPR email storm, but here in the EU (the UK is a member state for the time being) the flood has turned into a veritable deluge in recent days.
Companies that collected our email addresses sometime in the past, but had never thought to ask if we minded being on their mailing lists, even though GDPR has been law for more than two years already, used the last few days before the start of GDPR enforcement to beg, bludge or badger us into making things official.
Their emails typically didn’t put it like that, of course: they warned us that it we weren’t careful, we’d inadvertently sacrifice the inestimable value of being on their list, so we’d be well-advised to act at once – with one particularly desperate company offering us no less that a FREE CAT VIDEO for signing up.
Of course, on Friday 25 May 2018, when GDPR enforcement officially started, we were looking forward to the end of all this consent-at-the-last-minute nonsense…
…while simultaneously wondering just how much self-congratulatory-and-smugly-compliant stuff we’d now start getting instead, this time from companies that had acquired our consent before the cutoff, and couldn’t wait to show us the innumerable benefits of having stayed on their list.
Ghostery’s gaffe
Anyway – fear not, we’ve got ourselves back on track in this article now – Ghostery was one of the companies that decided to send its subscribers a “Happy GDPR Day” email on Friday.
We mean that quite literally, by the way, as you can see from the subject line below:
Fighting talk, to be sure, although we suspect someone at Ghostery is regretting the highlighted words in the text above:
We at Ghostery hold ourselves to a high standard when it comes to users’ privacy, and have implemented measures to reinforce security and ensure compliance with all aspects of this new legislation.
In fact, we suspect that someone is not only regretting those words, but also worrying just how fiery their first meeting on Monday morning is going to be.
Unfortunately for whomever pressed [Send] on this one, privacy-protecting proselytisers Ghostery ended up delivering the message to all of its security-sensitive subscribers on Friday…
…in batches of 500, with all 500 email addresses in the To: field every time.
In other words, each of the recipients of the “Happy GDPR Day” message explaining just how much Ghostery values their privacy and security, and how many steps it has taken to reinforce them …
…could see the other 499 people on their section of the mailing list, making the email look a bit like this:
In words we have probably all utterered at some time or another, “That was NOT supposed to happen!”
What to do?
As the Naked Security reader who sent us a copy of the errant email wryly remarked, “Well, this is embarrassing.”
What advice do we have for anyone wanting to avoid the same problem?
All we can think of is, “Don’t do that.”
By the way, if you’re the boss with the job of roasting the person who clicked [Send] come Monday, please take into account that they’ve had the whole weekend to sweat about the blunder…
…but if you’re the person who clicked [Send], you might want to use the weekend to go shopping for a flameproof jacket and a pair of heat-resistant trousers.
.