Yubico fails to care that people give you email addresses for specific purposes

May 9, 2018

A while back, Yubico had a little security issue that forced it to replace any number of Yubikey 4s, including mine. In order to do this, they required people to give them an email address so they could send you some necessary information; following my usual practice I gave them a tagged, individualized address. Today I received email to that address, received from the server of a domain called 'mktomail.com', that started out like this:

Subject: Passwordless authentication is here

Yubico scales across enterprise

Passwords are out. You're in!

The passswordless evolution of the FIDO U2F standard has arrived with FIDO2. [... marketing materials removed with prejudice ...]

You are receiving this email because you made a Yubico purchase or contacted Yubico.

I'm sorry, that's not how this works. In the normal course of events, people do not give you email addresses to do with as you will; people give you email addresses for specific purposes. In this case, I gave Yubico an email address to get a defective product fixed, but one might report a bug, contact product support, or perform other limited interactions with the company. These specific and limited purposes do not include 'receive unsolicited commercial marketing emails'.

Of course, the marketing department does not want to hear this. The marketing department wants to use every plausible address it can get its hands on. People these days vaguely get that you usually cannot buy addresses from other people without getting badly burned, but they keep thinking that other addresses are fair game, regardless of the purpose for which they were originally handed to the company.

Some of the time, the company supports the marketing department, as it did at Yubico, and these addresses get used outside of the purpose they were given to the company. At that point the company betrays the trust of the people who handed over their email addresses in good faith and pisses off some number of people who have interacted with the company in the past, some of which have actually bought their products. The results are predictable, as is the resulting form-letter evasion.

(When enough companies do this sort of thing for long enough, you get things like the EU's GDPR, which will likely make this conduct illegal. Sadly it is probably not illegal under Canada's anti-spam legislation, and anyway I expect Yubico to ignore the GDPR issues until they or someone else visible gets slapped with a nice fine for this sort of thing.)

Sadly I have no idea what is a viable alternative to Yubikeys, but at least we're not likely to buy any more any time soon.

Comments on this page:

By Ilmari at 2018-05-09 03:16:33:

Re: Yubico alternatives: Nitrokey looks interesting. They host this page with a list of dongles as well: http://www.dongleauth.info/dongles/. I stumbled onto them when I saw they sponsor free dongles for Linux kernel authors: https://www.nitrokey.com/news/2018/nitrokey-partners-linux-foundation-equip-all-linux-kernel-developers-nitrokey-usb-keys

With all the respect and gentleness I can muster:

You're kind of living in a delusion if you think that's how E-mail works.

I agree, that's how E-mail SHOULD Work. Most users, like 99.999% of E-mail users (or more) have no idea that you can add tags to E-mail.

Your message is a good one, but maybe it should be re-phrased in places so that the people you need to reach may actually listen.

By Omar at 2018-05-13 13:19:09:

Sadly that's the state of the internet right now. Yes it sucks!

By cks at 2018-05-13 15:56:17:

Using tagged email addresses is mostly orthogonal to people handing over their email addresses for specific purposes. People almost always hand over their email addresses for a specific, limited purpose, not for general use, whether or not they're giving you a tagged email address. Using tagged email addresses just means that people can tell where an email address came from when it's misused; here it means that I can know for sure that Yubico harvested my RMA email address, as opposed to me not having any sure knowledge of where Yubico got my email address from.

(If you have cancellable email addresses, using tagged email addresses also means that you can completely turn off a misused address, frustrating all future uses of it by anyone (whether the original misusers or someone they may have passed the address on to).)

By Drewry Pope at 2018-05-13 21:54:32:

Small typo? 'uise'

By cks at 2018-05-13 22:11:39:

Whoops! Yes, and fixed now. Thank you.

(I'm not sure how that typo slipped through. Clearly I didn't pay enough attention to spell's output when I was drafting this entry.)

Written on 09 May 2018.
« How we're going to be doing custom NFS mount authorization on Linux
Python modules use operator overloading in two different ways »

Page tools: View Source, View Normal, Add Comment.
Login: Password:
Atom Syndication: Recent Comments.

Last modified: Wed May 9 02:41:48 2018
This dinky wiki is brought to you by the Insane Hackers Guild, Python sub-branch.