Short Assignment:
Policy Analysis
by Anne Bauers for INLS
187
February 5, 2003
Amazing
Mail: Great Service or Recipe for Disaster?
Privacy at Amazing Mail
Privacy Policy Analysis
Recommendations for Change
I stumbled upon Amazing Mail's website while searching for a cheap, efficient, and (of course) cute way to inform my friends of my wedding date without sending a formal invitation. A friend tipped me off to the site, enthusiastically promoting their postcard service, which allows you to custom create postcards with your own graphics and text. The site will then mail your postcards via the U.S. Postal Service to the addresses you specify. This service is available to individual customers who wish to send their friends and family photo postcards or create customized invitations and greetings, as well as to businesses who wish to create pieces for direct mailing campaigns.
Amazing Mail's service seemed to fit my needs exactly: I could produce cheap, cute postcards in an afternoon, and let Amazing Mail print them and send them off to all of my guests. However, I had some concerns about Amazing Mail's privacy policy. The site requires users to create an ID and password to send postcards. Would Amazing Mail harass me by spamming my inbox after I created an accout? Amazing Mail partners with several major organizations, including Microsoft Picture It! on MSN and the U.S. Postal Service. Would Amazing Mail make my information available to these partners? Perhaps most importantly, what would Amazing Mail do with the address information for all the people to whom I planned to send a postcard.
Fortunately, Amazing Mail provides an online privacy policy where I could seek answers to my questions. Amazing Mail's policy addresses a number of privacy related questions including:
Amazing Mail collects personal data from customers when they register with the site, including name, address, email information. If postcards are sent the site also collects credit card information. The privacy policy stipulates that only Amazing Mail and its agents has access to this account information. Agents "have access to personal information needed to perform their functions, but may not use it for other purposes." The company reserves the right to use this information to send you promotional materials, unless you request that they not solicit you. (You may request this option under your account preferences) Amazing Mail does reserve the right to distribute site use information to their affiliates in aggregate form. Importantly, all addresses that you import to the site remain "strictly confidential," as do all images that you upload.
However, potential does exist for the security of your information to be compromised within the bounds of this policy. For example, Amazing Mail works with a number of affiliate organizations. If you are referred to the site from one of these affiliates, or if you use an affiliate's product that is listed on Amazing Mail's site, your information is protected by that company's policy, and not Amazing Mail's. Amazing mail regards your account information as a business asset; the policy states that "in the unlikely event that AmazingMail™ Inc., or substantially all of its assets are acquired, customer information will of course be one of the transferred assets." And Amazing Mail allows itself considerable wiggle room when it comes to surrendering your data for legal reasons. The policy notes "AmazingMail™ may disclose or access account information and your personal information when we believe in good faith that the law requires it and for administrative and other purposes that we deem necessary to maintain, service, and improve our products and services."
The privacy policy specifically addresses security, outlining the steps that Amazing Mail takes to enforce its privacy policy. Amazing Mail uses password protection to ensure that other parties cannot access your information. Credit card information is protected during transactions using the industry standard Verisign Secure Socket Layer (SSL) encryption. Additionally, transactions are authorized in real time using Cybercash, which checks for a valid credit card number and verifies the billing address to reduce fraud, and Amazing Mail's Verisign contract "provides up to $100,000 of protection against economic loss due to theft, impersonation, corruption or loss of use of an ID."
To truly assess the adequacy of Amazing Mail's privacy policy, I developed a list of analysis criteria, and measured the policy against them.
The Amazing Mail privacy policy is very specific about the use of all the types of data that the site collects. It explicitly states that "as a general rule, AmazingMail™ will not disclose any of your personally identifiable information, except when we have your permission, or under special circumstances such as when we believe in good faith that the law requires it." The policy also notes that this information will be available to agents of Amazing Mail; although these agents are not employed directly by the company, they are bound by Amazing Mail's policy. If customers choose to use services provided by Amazing Mail affiliates, including Microsoft's Picture It! service, they should refer to those affiliates' own policies. Amazing Mail only uses customer information for promotions if you indicate that you are willing to receive this type of information.
The policy forcefully states that "the information that an AmazingMail™ registered user enters into his/her address book is considered strictly confidential and will not be accessed by AmazingMail™ or any of its associates or affiliates." The only exception to this rule is a legal one; address book information, like customer data, may be disclosed if the law requires it.
I am impressed with the thoroughness and specificity with which Amazing Mail has outlined its use of the data it collects. Keeping the addresses of my friends and family confidential was important to me, so I am pleased that this is important to the site as well. The data access granted to Amazing Mail affiliates and agents is reasonable, and since I can choose to not allow Amazing Mail to send me promotional materials, I give the policy high marks for data coverage.
Amazing Mail protects account data using password protection, meaning that other parties must find out your password if they would like to view your account. However, the site has no password restrictions - passwords may be just a few characters, and no numbers or special characters are required. This makes the Amazing Mail password system quite easy to break for a dedicated interloper. Once this interloper has accessed your account data, he or she may view a record of your transactions, any images you have uploaded to the site, and perhaps most importantly, any address information that you have uploaded to the site. Because of this comparatively lax password system, I would recommend a two-pronged approach to uploading information to Amazing Mail:
Amazing Mail outsources credit card transaction protection to Verisign, which uses Secure Socket Layer (SSL) encryption to keep data secure. SSL is an industry standard, and since the Verisign contract provides "up to $100,000" in protection against fraud, this transaction protection is satisfactory. Although your credit card information may still be compromised, you are as well-protected in doing business with Amazing Mail as you are with most other electronic commerce sites.
Amazing Mail's policy is clear and specific. It is formatted to allow users easy access to specific privacy quesitons, so you can quickly navigate to the information that you need. The policy is not written in "legalese"; a layperson can easily understand it. In general, Amazing Mail does an excellent job of explaining the policy to users and of not including any tricky language.
There are some circumstances in which your privacy as a customer of Amazing Mail could be compromised within the confines of this policy. As is probably advisable for all businesses operating in this country, the site reserves the right to surrender information to law enforcement officials when " we have reason to believe that disclosing this information is necessary to identify, contact or bring legal action against someone who may be violating AmazingMail™’s User Agreement." I perceive this as a necessary inclusion in the policy.
Perhaps more worrisome is the fact that "in the unlikely event that AmazingMail™ Inc., or substantially all of its assets are acquired, customer information will of course be one of the transferred assets." In essence, if Amazing Mail were to be bought out, all your customer information would now be owned by the purchasing entity. Although in reality this would most likely not cause any major problems, it is important to note that the policy states that "From time to time we may amend our Privacy Policy without notice by posting the changes on our website." If you are concerned about the privacy of your data it may not be a bad practice to check the privacy policy for updates and changes on a somewhat regular basis.
Generally, Amazing Mail's privacy policy is a very strong one. It is clear and specific about how Amazing Mail protects its customers (and about when customers are not protected). However, there are a few ways in which the site could improve the effectiveness of this policy. Although the site may hesitate to strengthen the password requirement for fear of driving away convenience-minded customers, they may at least include an explanation of the risk of having a weak password and guidelines for creating effective passwords. Second, if significant changes in the philosophy of the business occur, as might happen if Amazing Mail were to be bought by a different organization, the policy could change dramatically. Since the site may contain sensitive information (namely large banks of names and addresses) it would appropriate for Amazing Mail to contact customers should there be a major policy change.
I was so impressed with Amazing Mail's privacy policy and excellent product that I became a customer, and have sent my wedding guests fabulously cute save-the-date postcards for less than $100. Just to be on the safe side, though, I removed all of my guests' address information from Amazing Mail's address book feature as soon as the cards had been sent. Although I have no control over any logs or backups that may contain this information, I feel comfortable that the privacy of my guests is most likely safe from prying eyes.
|
Amazing Mail, Inc. (2001)
Privacy Policy. (cited January 30, 2003) http://www.amazingmail.com/php/privacy.php3?grid=3f0772e10c15af3d |