Skip to content
Naked Security Naked Security

Ghostery’s goofy GDPR gaffe – someone’s in trouble come Monday!

Ever CCed an email you were supposed to BCC? Sure you have! But we bet it wasn't your company's "look how good we are at GDPR" email...

If you’re a Naked Security reader, you’ve probably heard of Ghostery.
Even if you don’t use it yourself, you’re likely to have seen it mentioned, almost certainly positively, in comments by other readers.
In its own voice, “Ghostery is a browser extension that helps you to manage website trackers for a cleaner, faster, safer experience.”
Ghostery’s German owner, Cliqz – itself part-owned by Mozilla – makes a Firefox-based browser called (you may have guessed this already) Cliqz, “the no-compromise browser” that “gives you relevant search results and does not leak your private data.”


You therefore probably wouldn’t expect Ghostery, of all people, to be carried away by the recent GDPR messaging frenzy sweeping Europe.
We’re assuming that our American friends felt the fringe of the GDPR email storm, but here in the EU (the UK is a member state for the time being) the flood has turned into a veritable deluge in recent days.
Companies that collected our email addresses sometime in the past, but had never thought to ask if we minded being on their mailing lists, even though GDPR has been law for more than two years already, used the last few days before the start of GDPR enforcement to beg, bludge or badger us into making things official.
Their emails typically didn’t put it like that, of course: they warned us that it we weren’t careful, we’d inadvertently sacrifice the inestimable value of being on their list, so we’d be well-advised to act at once – with one particularly desperate company offering us no less that a FREE CAT VIDEO for signing up.

Of course, on Friday 25 May 2018, when GDPR enforcement officially started, we were looking forward to the end of all this consent-at-the-last-minute nonsense…
…while simultaneously wondering just how much self-congratulatory-and-smugly-compliant stuff we’d now start getting instead, this time from companies that had acquired our consent before the cutoff, and couldn’t wait to show us the innumerable benefits of having stayed on their list.

Ghostery’s gaffe

Anyway – fear not, we’ve got ourselves back on track in this article now – Ghostery was one of the companies that decided to send its subscribers a “Happy GDPR Day” email on Friday.
We mean that quite literally, by the way, as you can see from the subject line below:

Fighting talk, to be sure, although we suspect someone at Ghostery is regretting the highlighted words in the text above:

We at Ghostery hold ourselves to a high standard when it comes to users’ privacy, and have implemented measures to reinforce security and ensure compliance with all aspects of this new legislation.

In fact, we suspect that someone is not only regretting those words, but also worrying just how fiery their first meeting on Monday morning is going to be.
Unfortunately for whomever pressed [Send] on this one, privacy-protecting proselytisers Ghostery ended up delivering the message to all of its security-sensitive subscribers on Friday…
…in batches of 500, with all 500 email addresses in the To: field every time.
In other words, each of the recipients of the “Happy GDPR Day” message explaining just how much Ghostery values their privacy and security, and how many steps it has taken to reinforce them …
…could see the other 499 people on their section of the mailing list, making the email look a bit like this:

In words we have probably all utterered at some time or another, “That was NOT supposed to happen!”

What to do?

As the Naked Security reader who sent us a copy of the errant email wryly remarked, “Well, this is embarrassing.”
What advice do we have for anyone wanting to avoid the same problem?
All we can think of is, “Don’t do that.”
By the way, if you’re the boss with the job of roasting the person who clicked [Send] come Monday, please take into account that they’ve had the whole weekend to sweat about the blunder…
…but if you’re the person who clicked [Send], you might want to use the weekend to go shopping for a flameproof jacket and a pair of heat-resistant trousers.
.

25 Comments

All e-mail clients should REFUSE to send anything CC’ed, period; basically, they should ELIMINATE the option to CC and just rip that functionality right out of the clients and web-based apps.
Instead of the three options, “TO,” “CC,” and “BCC,” they should just remove the CC field altogether, and make it so that any e-mail addressed to more than one person has to have all addressees in the “TO” field, and when an attempt is made to send, a pop-up window should open, displaying:
“ARE YOU SURE YOU WANT TO SEND [this message] TO [list of addresses in TO field] INCLUDING THE ADDRESSES THEMSELVES?”
It should show the e-mail as it will appear, INCLUDING ALL THE RECIPIENTS, *HIGHLIGHTED* and require the sender to TYPE the words, “Yes, send this message to ALL recipients including the list of recipients itself to each and every single recipient” in whatever the local default language is on that machine, or refuse to send the message at all.
Having a (non-blind) CC option in an e-mail client or web-based e-mail application is like having a car that if the turn-signal’s activated, and the steering wheel turned in the OPPOSITE direction from what’s indicated, OR if the steering wheel is turned more than a degree without using the turn-signal, the airbag goes off in the driver’s face… only the airbag’s been replaced with a SHOTGUN SHELL pointed at the driver’s head and torso.

Sorry, but I disagree. At work, I often send emails TO people I’d like to take action, CCed to others for info, and I want all addressees to see who are in each list.

+1
I treat To: as “you are involved in this” and CC: as “you ought out of politeness or completeness to be informed”.
An obvious example is a leave request: HR is the team that will actually process it; CCing your boss and immediate peers is a courtesy to remind them when you’re going to be out.
In contrast, BCC: is something of a double edged sword in the work environment. It can be used positively and professionally as a “just so you know but won’t get plagued by unwanted responses” but also rather deviously as “the others don’t know you’ve seen this so keep it under your hat”.
Making the email client more annoying to use won’t stop people from sending emails to the wrong people. In fact, one sensitive email sent on purpose but to a single wrong recipient can do a lot more harm that this Ghostery gaffe, which is more of an embarrassment than a data breach.
(I wouldn’t be happy if I were a user, but I wouldn’t throw my toys out of the cot about it. I’m very, very slightly less likely to start using Ghostery because of it but [a] I wasn’t thinking of starting anyway, and [b] now I’ve publicised my Ghostery/not Ghostery status anyway.)
The bottom line is that when you’re sending emails or any sort of multi-recipient message, it’s really easy to make a mistake you immediately regret, so…
…Don’t Do That!

“the others don’t know you’ve seen this so keep it under your hat”.
I’ve seen a couple instances where this use of BCC puts egg on a couple faces:
1) the original sender
2) the BCCed recipient to hits “reply all” before realizing how they received it.
When needed I opt for forwarding the main message, lessening the casual blunder factor.

You didn’t link the cat video.

Is that a statement or a question?

Both?

I mis-spoke, I meant “is that a statement XOR a question”.
(Errr, in which case the answer “yes” still doesn’t help much :-)

Trying to apply formal logic to cats. How cute.

Technically to *videos* of cats. In fact, technically to the locations of videos of cats. In fact, technically to the linguistic mood of a sentence about the location of videos about cats.

Eman’s idea is pretty good, and if the sending process is automated, the option “CC” should not be active.

This wouldn’t have helped in this case, as every recipient was added to the “To”-field.
And if the process is automated, I’d say the tool should be intelligent enough to put the recipients to the right place…

Any security system that depends on humans to do the right thing will fail.

“I’m sorry Dave, I’m afraid I can’t do that.”
I have a less mechanistic view of cybersecurity than you: I look at it the other way around and assume that any security relying entirely on technology to do the right thing will fail.
OTOH, I do feel a touch of dystopia here inasmuch as the primary failing here was human, namely that someone thought it was a good idea to send this email to anyone at all.
YOU AREN’T GOING TO IMPRESS ME BY SPAMMING ME TO TELL ME HOW DELIGHTFULLY YOU PLAN TO COMPLY WITH THE NEW RULES ABOUT SPAMMING ME.
It’s like emailing me every morning to confirm that when you drive your car to work today you plan to comply with the Highway Code and don’t intend to overtake my bicycle only to turn left (that would be right in the US) immediately and recklessly in front of me, or to force your way past at a pinch point causing me to clip my elbow on your wing mirror and leave me howling in ill-concealed rage/pain yet again.
Talk is cheap. Just do it!

This is exactly the reason I have invidual disposable email addresses for every list I subscribe to.

Whats the trick for doing that ???

Gmail let you add “+word” where the word is anything you like, to your usual email address befor ethe @ , which makes it easy to see who emailed and filter out emails but the use a temporary email, forwarded to your actual email for a limited time try any of the Temporary Email sites available, though many only last for minutes not weeks

Outlook.com allows …+sometext” as a unique identifier at the end of an address, too.
I was going to suggest this trick myself, except that I figured it isn’t exactly a temporary throwaway address given that it denotes the same email address each time :-)

I am sure that all email clients can be re-issued / update with the option to “grey out” the “cc” field, by altering a setting in global settings ! Perhaps they are doing so right now…

Pretty interesting that you obscured the email addresses in the figure by changing all the letters to x, leaving the punctuation, line-ends, and spaces. I was thinking about that back in 1999 when I disclosed what issued in 2003 as US Patent 6631482. It was originally issued to IBM, currently assigned to Google.

“All we can think of is, “Don’t do that.””
Gotta love it. reminds me of the old joke,
“Doctor, it hurts when I do this. How can I stop the pain?”
“Don’t do that.”

Comments are closed.

Subscribe to get the latest updates in your inbox.
Which categories are you interested in?