Proper disclosure, or how not to be a comment spammer

January 2, 2010

Shortly after I wrote my first ipsCA entry, I got a comment on the entry recommending a specific other SSL vendor. At first this didn't strike me as unusual; it was the kind of helpful note that might be left by one of my readers (or just someone who saw my blog entry on Planet Sysadmin). But I have a hair trigger with spam, one that not infrequently makes me unreasonably suspicious, so I ran the poster's IP address through a reverse DNS lookup just to make myself feel better.

Since I'm writing an entry about it, you can probably guess what the result was. Let's just say that the IP address in question was intimately associated with the SSL vendor that was being recommended (although this was not immediately obvious, since it was in the overall corporate domain instead of the vendor's SSL site).

I doubt that this is actual, intentional comment spam (for a start, I suspect that anyone underhanded enough to do this intentionally is smart enough to do it in a less traceable manner). Instead, I imagine that it was simply a well-intentioned employee of the SSL vendor wanting to share some good news. However, the net effect was extremely bad; by not disclosing their affiliation, the commentator turned their good intentions into comment spam.

(And they caused all of the consequences that usually ensue. For example, I am going to do my level best to insure that we don't buy our eventual SSL certificates from that vendor.)

So here is a message to all vendors, and to everyone who works for them: proper disclosure is not optional. There is no surer way to throw away any possible goodwill you might have and give yourself an indelible and unpleasant reputation than to act like a covert marketer. People these days are more and more sensitive to things that look like marketing, 'astroturfing', and outright spam (and the lines between them are awfully thin), and they react very badly; you become a untrustable, slimy liar on the spot. And you will get caught sooner or later.

(Perhaps you think that you can't disclose your affiliation without your comment looking bad. Well, you know, if you can't disclose your affiliation without having your comment look like anything but a marketing message, perhaps you ought not to leave it, good intentions or not.)

(This is one of those entries that I shouldn't have to write but apparently I do.)

Comments on this page:

From at 2010-01-02 16:20:39:

I can understand where you're coming from at a philosophical, moral and ethical level, and I would at a personal level completely do the same thing. But unless your bosses have explicitly told you that what you're doing is okay, you need to keep one thing straight: as the employee of an organization, you have a responsibility to make your purchasing decisions based on objective criteria that meet with organizational goals, not based on personal biases and ad-hominem beefs with particular employees. Anything else is demagoguery that serves you more than the people signing your paycheck.

By rdump at 2010-01-02 19:14:31:


I've encountered that particular specious mis-argument before from vendor reps who get caught. It's tiresome to deal with.

Email spamming, comment spamming, astroturfing, and similar immature marketing tactics speak volumes about the perpetrator and their products. It's a clear public admission by the perpetrator that the product isn't appropriate for the purpose, or it otherwise isn't strong enough to be sold without subterfuge. Treating so unethically is also a strong sign of disrespect for the potential customer. Either is a sufficient reason to prune that vendor away from the shortlist early.

After all, if I were to engage in a business relationship with a vendor who has that kind of attitude, I would rightly expect it to be abusive in other ways. It would be very unwise of me (perhaps even to the point of career suicide) to set my company up as such a victim.

We necessarily judge the business suitability of any vendor responding to one of our RFPs. Businesses that show such a marked inability to behave in an ethical and above-board manner are a much higher risk. Their submissions must be disqualified, or in extreme cases, answered with lawsuits and/or criminal investigations.

In the same way, we judge the providers of services we're able to buy "on the economy". If we catch them spamming, or showing other signs of the spammer mentality, that's a red flag for disqualification. Corporate culture will out, and a corporation that tolerates their employees engaging in that kind of misbehavior is almost universally a bad partner.

Our duty to our employers, to get the best service possible for the money, demands we move on to more reputatable firms that haven't already clearly and unequivocally shown they're just out to screw us over.

Written on 02 January 2010.
« Brief bits from the evolving ipsCA failure
Go interfaces are not my sort of interfaces »

Page tools: View Source, View Normal, Add Comment.
Login: Password:
Atom Syndication: Recent Comments.

Last modified: Sat Jan 2 00:59:45 2010
This dinky wiki is brought to you by the Insane Hackers Guild, Python sub-branch.