|
|
|
|
|
| E-mailing of passwords
Posted: 10/4/2009 8:37:09 AM | | I agree it is unusual to send out the passwords. I have a related question. If you open a pof account with one email address and then change to a new email address and closed the email account that was used to open the pof account, will those emails from pof bounce back to pof and then the pof account gets closed? I can't experiment since I like my account and don't feel like closing it just to do that. | |
|
| E-mailing of passwords
Posted: 10/4/2009 8:49:04 AM | I believe when the POF emails start bouncing back you will be requested by POF when you login again to update your email address on your profile.
Cowboy | |
|
| E-mailing of passwords
Posted: 10/4/2009 10:37:36 AM |
6. (1) No person shall send or cause or permit to be sent to an electronic address a commercial electronic message unless
(a) the person to whom the message is sent has consented to receiving it, whether the consent is express or implied;...
...(c) set out an unsubscribe mechanism in accordance with subsection 11(1).
James, you aren't reading it correctly. Consent is just ONE of the many requirements. Thus the A, B, C listing. Every requirement listed must be met by POF. It is not a "I met one, thus I can break the others" type deal. That means POF would need both my consent (as stated in in A) AND they need to have a "unsubscribe mechanism" (as describe in C...which if you follow down the Bill of subsection 11, it says it must be contained WITHIN the email). They've got my consent, so they're fine there. They still need unsubscribe within the email.
maybe it's you that needs to go back and read the law. or, maybe you need to get a law degree. whatever...
per the definitions of that law,
“commercial activity” means any particular transaction, act or conduct or any regular course of conduct that is of a commercial character, whether or not the person who carries it out does so in the expectation of profit, other than any transaction, act or conduct that is carried out for the purposes of law enforcement, public safety, the protection of Canada, the conduct of international affairs or the defence of Canada.
i submit, that a free online dating website does not meet the requirements for "commercial activity". hence, pof is exempt from this law.
try another argument. this one has just met a brick wall. thus, it is unnecessary to even address the "consent" or "implied consent" issues. even if this law was germane, it would be obviated by the implied consent provisions (remember, those pesky TOS provisions that all members agree to, when they sign up).
the_humormonger, that's a fair thing to question, sure. However, that's not even close to a brick wall. Mainly because it would be hard to argue that POF's emails are not a commercial activiting...and I'll explain why.
To start, I just want to point out that you are looking at this law from the wrong point of view. The law was not written for the perspective of users/consumers/customers. It was written to regulate commercial conduct.
So anyways, to start, I'd like to point out that you don't have to be making money off somebody for your actions to be considered commercial activity...as stated in the very definition you tried to use to say it wasn't commercial. Read this line towards the middle of the definition: "whether or [u]not[/u] the person who carries it out does so in the expectation of profit". Really, it doesn't matter anyways because POF does make profit (over 10 million a year according to a 2008 new york times article).
Also, regarding this statement you made:
it is unnecessary to even address the "consent" or "implied consent" issues. even if this law was germane, it would be obviated by the implied consent provisions (remember, those pesky TOS provisions that all members agree to, when they sign up).
As I explained to James above, each listed requirement for that section was required in its own right...obeying one part of a law, doesn't excuse you from obeying the others. The only way that would be the case is if it were listed as an "Exception" ... which consent is NOT listed as. It was listed as one of the many requirements...not as an exception.
Also, as already stated TOS can not directly conflict laws (well, I guess technically then can, but when and if they do, they are often thrown out. Laws are in place to protect the citizen, not the business.
collin does not have standing to make such an argument, as he is not a "serious member" Again, you need to re-read the definition. It doesn't have to be a transaction. It can be many things (as were listed). In this particular case the "commercial activity" is sending a weekly email...which is a "act or conduct or any regular course of conduct that is of a commercial character, whether or not the person who carries it out does so in the expectation of profit".
I know you all want to continually go back to the fact that this is a "free" service. However, these specific laws were written with the knowledge that many websites and other electronic services are free and yet still businesses...to whom citizens still need protection from. These laws were not created for no reason. You may disagree with them...but they still exist and are very relevant. This specific Bill (C-27) just became official in Canada this year. | |
|
| E-mailing of passwords
Posted: 10/5/2009 5:26:25 AM | Hey Collin,
The link to Bill C-27 you provided:
http://www2.parl.gc.ca/HousePublications/Publication.aspx?DocId=3832885&Language=e&Mode=1&File=29#1
I realise you're commenting regarding Section 6 with respect to the unsubscribe mechanism etc.
But I was looking at Section 3 - Purpose of Act.
3. The purpose of this Act is to promote the efficiency and adaptability of the Canadian economy by regulating commercial conduct that discourages the use of electronic means to carry out commercial activities, because that conduct
(a) impairs the availability, reliability, efficiency and optimal use of electronic means to carry out commercial activities;
(b) imposes additional costs on businesses and consumers;
(c) compromises privacy and the security of confidential information; and
(d) undermines the confidence of Canadians in the use of electronic means of communication to carry out their commercial activities in Canada and abroad.(Bolding is mine)
I wonder if Section 3 might apply to both POF maintaining user passwords unencrypted and also sending them out in plain text.
And the other part that I stumbled upon is Section 13: Burden of proof.
13. A person (POF) who alleges that they have consent to do
an act (send e-mails including password in plain text) that would otherwise be prohibited under any of
sections 6 to 8 has the onus of proving it.(Italics are mine)
Doesn't this boil down to POF merely providing the evidence that the user signed the TOS and therefore putting POF in the clear?
I get the feeling the intent of this bill more surrounds a desire to address SPAM from Canadian local business. We have something similar in Australia. There's a lot of convoluted reading in there, so maybe I missed something.
I wonder if Canada have a law encompassing these concerns buried in some sort of privacy provisions? | |
|
| E-mailing of passwords
Posted: 10/5/2009 5:53:51 AM | Cowboy,
Are you saying that if you don't change your POD email address, POF will delete the account? I wonder, because there are so many people who haven't logged in in over 2 years. Just wondering because it would make the database so much cleaner. Only because in the registration screen, there is much bragging about the removal of bad accounts and how quick that happens. | |
|
| E-mailing of passwords
Posted: 10/5/2009 6:02:59 AM | Cowboy, Are you saying that if you don't change your POD email address, POF will delete the account? I wonder, because there are so many people who haven't logged in in over 2 years.
No. I don't know what will happen I didn't push it. I have several email accounts and the one I used for this site for a long time was actually on a friends internet service with verizon and he didnt pay a bill on time once and my email account (as well as all his family's) was shut down for a couple days. When I logged in here I got a message saying my email account was not valid and said I needed to enter a valid email address. So I entered another valid one. I don't know the exact consequences of dodging it. I said when I logged in after their emails were being bounced it asked me to enter another valid email account.
Cowboy | |
|
| E-mailing of passwords
Posted: 10/5/2009 6:46:45 PM |
13. A person (POF) who alleges that they have consent to do
an act (send e-mails including password in plain text) that would otherwise be prohibited under any of
sections 6 to 8 has the onus of proving it.
Doesn't this boil down to POF merely providing the evidence that the user signed the TOS and therefore putting POF in the clear?
It would clear POF for having consent to send the emails (which I agree, they already do have consent). I don't think anybody here is really arguing over consent.
The issues come into play with not following other requirements, such as unsubscribe. The privacy and security sections are something POF is running the lines thin on...though it's certainly arguable for that as there are "basic" security measures...like simply having user/pass. Whether that is enough and whether or not sending passwords in plain text through emails is considered compromising security would be the real question. That'd have to be argued hard on both sides. In my opinion, that's quite a big compromise in today's world where a 10 year old knows how to packet-sniff ... especially when there are easy solutions that would be cheap and quick to implement. | |
|
| E-mailing of passwords
Posted: 10/9/2009 4:03:07 PM | All the arguing about bill C-27 is irrelevant. Nobody can be breaking the law by any clause in that because it's a bill which has not yet become law (and may never do so).
The relevant law here is PIPEDA, and the issues with respect to it are pretty clear.
1) Passwords are definitely personal information (and all the stuff accessible once somebody has your password even more so).
2) PoF is obligated under PIPEDA to protect your personal information.
So ...
3) Is PoF breaching PIPEDA by mailing out your password in unprotected e-mail?
All the arguing about whether the information is important or not is also really just irrelevant opinion. The law doesn't consider whether the personal information is important or not. It is personal information; that's all that matters.
I say yes, PoF probably is breaking the law. It doesn't matter if you sign your life away in the Terms Of Service. There are still basic standards of reasonableness that must be met. PoF couldn't, for example, come around and steal your furniture even if you did agree to it when you signed up. That's an extreme example but the same principle. Certain things are assumed automatically in contracts because they are reasonable and expected in contracts (which is why 99% of us just skim over agreements fast rather than reading them in detail), and you have to go out of your way to emphasize them if you want to contract around them.
So, the key question is this: is it reasonable to mail out plaintext passwords periodically? Ten years ago it probably would have been, because most people weren't clued up on such issues back then. Even five years ago (when PoF appeared) you might get away with it. Nowadays pretty much everybody who does this for a living knows this is a bad idea, so it's very doubtful you could claim that their policy is reasonable. As time goes by and security awareness rises more, it'll become even more of a losing argument.
Probably the only reason the big fish hasn't had trouble with this is that nobody has cared enough to complain about it to Canada's Privacy Commissioner. I don't care that much, either, even though I do think it's a disgraceful security lapse. I just protect myself with a one-off password, and by never ever passing on any info here that I wouldn't want to be public. But eventually somebody will get burned here and complain about it, and then my guess is that POF will get a scathing assessment on the matter. | |
|
| E-mailing of passwords
Posted: 10/29/2009 2:20:34 AM | I'm starting to get really annoyed by those e-mails, first of all, the password shouldn't be there unless you request it, second of all, what the hell is the point of sending out the same damn e-mail about something you already know..."oh wow, I'm a member of this site? I forgot that, after I logged in yesterday." :P
Change the mail, remove the password, insert new users from your local area, and then it might be useful. | |
|
| E-mailing of passwords
Posted: 10/31/2009 1:40:24 AM | This gross violation of basic security irks me, but I'm reluctant to give up getting notified when I'm messaged or selected as a favourite. This week, a user crowed to me that she'd gotten someone's PoF password and gotten him in trouble by looking at his e-mail account on a computer he' given her. His error, I know, but it would have stopped at one account were it not for those e-mails.
Markus has said over and over he won't stop the passwords - but is there perhaps hop for separate options to email match updates and mail/fav updates? Is that a reasonable compromise?
ED BEAR
 | |
|
| E-mailing of passwords
Posted: 10/31/2009 5:27:40 AM | ED I have a filter set up on my yahoo email that sends the matchs and thus my password straight into the trash. I never see them. But still receive all my POF email and Fav notifications. This isnt hard.
Cowboy | |
|
| E-mailing of passwords
Posted: 11/2/2009 10:36:39 AM | If the passwords are being emailed it means they aren't even encrypted. This means the admin or anyone who ever hacked this website has access to everyone's password.
This site is really really poorly made and I wouldn't be surprised if anyone did manage to hack it. | |
|
| E-mailing of passwords
Posted: 11/2/2009 10:44:59 AM | Be smart and don't use the same password you use for POF for anything else. That way if they were hacked they can't exactly get much. We keep no personal info for you remember.
Cowboy | |
|
| E-mailing of passwords
Posted: 11/2/2009 10:50:00 AM | | I don't, but there's no doubt that a lot of people on this site use the same password for every website. | |
|
| E-mailing of passwords
Posted: 11/2/2009 11:41:35 AM | Seems long-term running Threads pointing out many Security Issues with Plain-Text Passwords have somehow found its Way under the Deletion Carpet. ---> Sending Plain Text Passwords.
The only Thing left of it is the Line that presumes cheating Spouses share the same E-Mail Address, and POF will "go the extra mile" to make sure we all remain good Boys & Girls ---> E-mailing of passwords
Not quite sure how that compliments the "Looking for a Fling?" Ads on Site.
One Post in particular dealt with an Employee working for an ISP and exactly how he would go about getting a hold of your Password Infos. Considering Millions are employed in the same Field, it would take but a Handful of these Guys to cause a Security Break.
And Complaints do come in Waves. Some Weeks I get Dozens of Messages Users feeling their Accounts have been hacked, but then I don't hear another Thing about it for the next 2 Months.
 | Perhaps its more of a Statement about how the Site values User Communications. For many, blowing off a Contact is far more painful than having one's Bank Account cleaned out. |
|
| |
|
| E-mailing of passwords
Posted: 11/6/2009 11:46:17 AM | | Okay, finally closing my account on this site. I'm tired of getting emails with my password in it...the site owner clearly doesn't care about security or its users. | |
|
| E-mailing of passwords
Posted: 11/10/2009 1:09:21 PM | Posting this from a thread I started because I didn't find this one through search, thanks Cowboy
Please, please, please stop sending my password to me in every other email I get from you guys. The worst part is that you are sending them in plaintext, which is fine if I forget my password, because I'm going to change it. Now I feel compelled to change my password every Monday. I am no security expert, however I know my way around Backtrack Linux. Since everyone knows these emails are going out every Monday it's trivial to intercept these emails and grab passwords, especially if the user is on wireless, which it seems most people are these days. I am actually surprised this hasn't been taken advantage of yet. Or maybe it has, and I'm just lucky.
Please do not 'remind' me of my password every week in a plaintext email. If I forget my password, I can just go through the usual 'forgot my password' channels.
Otherwise, awesome site. Plentyoffish blows away every other dating site out there.
Seeing that this has been a problem since 2006 is just depressing. It would be trivial to edit your email scripts to remove this, and I feel this displays a disregard for basic security. This is Web Development 101 stuff, guys. I really hope that our passwords are stored as a hash in your database, and they're not in plaintext there also, but given the site is sending out passwords every Monday, I doubt it.
I use a unique password for this site for this very reason, however that is not a solution. It is a bandaid, and not a very good one. I feel that PlentyOfFish are unwittingly setting themselves up for serious disaster down the road, which will at least result in a mass exodus and loss or revenue, at worst serious lawsuit actions. And I read the posts involving the ToS, however many times the clauses included in ToS are not legal and therefore not defensible in a court of law. | |
|
|
| Page 5 of 5
|
1, 2, 3, 4, 5 |
|
Home
login 
