Aerlingus Spam - Twelve Horses

Butch · 30-10-2003 8:16pm #1

Hi,

Today I received a dodgy spam email - supposedely sent on behalf of Aerlingus.com. The company behind the mass emailing is called Twelve Horses.

I already changed my email address because of spam, and since then I have been careful in not using it for newsgroups and so... Apprarently not careful enough...

I have reasons to believe that Aer Lingus is outsoursing their marketing, as the email is using my full name. What pisses me off is that the bastards are passing my details to third party companies.

Opinions anyone?

Butch

mneylon · 30-10-2003 9:47pm

If you could provide the full headers for the mail it might help.

Butch · 30-10-2003 10:14pm

Originally posted by blacknight
If you could provide the full headers for the mail it might help.

Here you go. I removed my details and part of the URL they requested me to click on.

Return-Path: <specials@eebxdp.bcshdg.th.b.12hs.com>
Delivered-To: XXXXXXXXXXXXXX
Received: (vpopmail 31106 invoked by uid 16); 30 Oct 2003 11:11:00 +0000
Received: (qmail 23295 messnum 2197077 invoked from network[12.165.53.112/mailout01.twelvehorses.com]); 30 Oct 2003 11:09:32 -0000
Received: from mailout01.twelvehorses.com (12.165.53.112)
by mail04.svc.cra.dublin.eircom.net (qp 23295) with SMTP; 30 Oct 2003 11:09:32 -0000
Received: from eebxdp.bcshdg.th.b.12hs.com (192.168.4.51)
by mailout01.twelvehorses.com with SMTP; 30 Oct 2003 03:09:32 -0800
Message-ID: <6845169.1067511865137.JavaMail.dynamo1@app02.prv.twelvehorses.com>
Date: Thu, 30 Oct 2003 03:04:24 -0800 (PST)
From: "aerlingus .com" <specials@aerlingus.com.r.12hs.com>
Reply-To: "aerlingus .com" <specials@eebxdp.bcshdg.r.12hs.com>
To: XXXXXXXXXXXXXXXXX
Subject: Up to 50% off
Mime-Version: 1.0
Status: RO
X-UIDL: 1067512260.31106.mail04.svc.cra.dublin.eircom.net,S=2328
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable

Up to 50% off our lowest fares on all routes at www.aerlingus.com
[500,000 seats on special offer]=20
=20
Discount applicable on travel between 01 Nov '03 - 08 Feb '04. Discounts
vary depending on day and time of travel. Discount valid on our cheapest
internet fares excluding taxes and charges. Subject to terms, conditions
and availability, see aerlingus.com for full details. =804 per ticket
handling fee applies. Book now at www.aerlingus.com .=20

========================================================================

MESSAGE LINKS

========================================================================
You have just received a HTML mail from Aer Lingus. Click here to view it in your browser:
<http://www.twelvehorses.com/S1/XXX/XXXX/M/>

To unsubscribe from this service, follow this link or alternatively, copy and paste the link into your browser:
<http://www.twelvehorses.com/S1/XXX/XXXX/U/>

========================================================================

mneylon · 30-10-2003 11:26pm

Uses a US IP address....
I'd report them to Spamcop... (http://www.spamcop.net)

zenith · 31-10-2003 10:21am

FFS, Blacknight, can you PLEASE check first that Butch didn't actually opt-in before acting like the sherrif?

Just because Aer Lingus outsource their mail sending does NOT mean that they've sold Butch's address to the vicodin peddlers.

Butch, you should know better too.

mneylon · 31-10-2003 10:27am

Zenith - if he feels that it's spam he should submit it to spamcop. Whether Aer Lingus are outsourcing their mailing or not is not important if he never gave his permission.
IF he did give permission then he should unsubscribe or keep quiet.

dmalone · 31-10-2003 11:03am

All,

Here at Twelve Horses we take the SPAM issue very seriously because it can fundamentally harm our business.

All of our clients are encouraged to abide to 'opt-in' standards. We take every complaint seriously and try to respond to every individual who contacts us with an issue. Needless to say we provide standard unsubscribe tools but we also can override this at the request of an end user recipient who may want a 'global' block from our servers.

All of our clients are reputable companies and they fully understand the legal and customer issues surrounding email marketing. We do our best to educate them and have built in controls to actively monitor their activities. Examples include dynamic bounce threshold alarms, list scanning for spurious email addresses e.g. sales@, admin@, etc ...

We do employ a full time Privacy Officer whose job it is to ensure we remain on the major ISP whitelists. If anyone has a complaint come to us directly, we encourage it. We are honest and straightforward in our dealings. My phone number Dublin 2402502 if you wish to talk or email abuse@twelvehorses.com

Finally today sees new legislation coming into force and whilst it may help with EU originating mail I doubt it will do much to stop the tirade of rubbish we receive from unknown SPAMMERS.

However note that under the new law if you buy a product or service from a company there is implied permission for that company to communicate similar offerings to you via email.

Thanks

David Malone
CEO
Twelve Horses

mneylon · 31-10-2003 11:20am

David

Glad to hear that you take this issue seriously.

The new EU laws should hopefully improve matters for everybody, although the bulk of SPAM is not about airlines - as we all know

DeVore · 31-10-2003 11:47am

no its those filthy evil dirty C/R bastards! DONT YOU UNDERSTAND!!!
THE WORLD IS AT RISK AND ONLY I, YES I, CAN WARN THE PLANET
SAVE YOURSELVES! I TOLD YOU THIS WOULD HAPPEN!!!

Ahem. sorry... see what happens when threads cross...

DeV.

mneylon · 31-10-2003 11:49am

ROFL

ecksor · 31-10-2003 11:51am

In all fairness, if the first thing you suggest upon hearing that someone got an e-mail from a company they did business with is to report the mail to spamcop then you need your head examined.

mneylon · 31-10-2003 11:54am

The original poster did not make it clear that s/he had done business with them in the past.
My suggestion to submit it to Spamcop was based on the premise that the email was spam ie. that the person had genuinely not give permission to be contacted etc., etc.

ecksor · 31-10-2003 11:58am

Well, what is the alternative plausible scenario since he concluded from the use of his full name that Aer Lingus has passed on his details?

mneylon · 31-10-2003 12:04pm

An alternative plausible scenario is that I misread his original post

dmalone · 31-10-2003 12:08pm

All,

When companies engage in eMarketing via email they rely on infrastructure provided by service providers such as Twelve Horses. Our customers run our software via web browsers and purchase a secure 'domain' from us. They upload their lists, creative and send their campaigns. The data is protected and only accessible by our customers. We monitor their activities.

My guess is that the original post refers to a mail from Aer Lingus that was offering savings to him/her based on an existing customer relationship.

Rest assured that the data is protected and we conform to SAS 70 in the U.S. which means that we are a reliable source for email messaging software and infrastructure independently audited by Ernst & Young.

The confusion likely arises in that the headers contain our IP range details. As I said we can ensure that the customer will NOT receive unsolicited email if they unsubscribe or contact us directly in our Dublin office (where we employ 20 software engineers)

Thanks

David.

sceptre · 31-10-2003 12:13pm

Originally posted by dmalone
However note that under the new law if you buy a product or service from a company there is implied permission for that company to communicate similar offerings to you via email.

Hmmm.

You can still opt out later (even if a company throws that at you and won't unsubscribe you) under the Data protection act 1988 section 2.

dmalone · 31-10-2003 12:21pm

Yes you of course can opt-out or unsubscribe. Most companies abide by this and if a client unsubscribes we mark that in our database and if that client even tries to resubscribe our systems will track this and verify with the customer if they wish to receive communications.

As I said we take the issue seriously and our stance is to place the ultimate customer in control.

The legislation is clear. Opt-in is mandatory, there is implied opt-in for existing products/services but you can of course opt-out.

Hopefully that clarifies the position.

mneylon · 31-10-2003 12:23pm

You obviously respect that, however the real spammers, who use 'bullet-proof' hosting providers don't.

Butch · 31-10-2003 10:22pm

Thanks for all your responses, and particularely to David Malone for coming forward and articulating his company's policy. It's refreshing to find some serious marketeers in this industry.

Yet, I want to make some points very clear.

Originally posted by blacknight
Zenith - if he feels that it's spam he should submit it to spamcop. Whether Aer Lingus are outsourcing their mailing or not is not important if he never gave his permission.
IF he did give permission then he should unsubscribe or keep quiet

This is the core issue. I never gave Aer Lingus authorisation to use my details in marketing campaigns. From the Aer Lingus Tab Membership website:

We may also wish to use your personal details to provide you with information which you may find of interest including special offers and services offered by Aer Lingus, other carriers and service providers. We may contact you by any means of communication for which you have given us contact details. If you do not wish to receive such information please tick here.

Needless to say, I ticked this option, clearly opting out of marketing promotions, but Aer Lingus doesn't seem to pay much attention to this.

Second: Even if I gave Aer Lingus authorisation to use my details (which I didn't) I gave it to Aer Lingus solely. This doesn't authorise them to make use of my details and pass them to any tihrd party. No matter how serious they are, I believe this breaches confidentiality.

Originally posted by dmalone
We take every complaint seriously and try to respond to every individual who contacts us with an issue. Needless to say we provide standard unsubscribe tools but we also can override this at the request of an end user recipient who may want a 'global' block from our servers

David, I appreciate this (seriously), but you perfectly know about all the dodgy "opt-outs" reply addresses used only to verify the address is valid and automatically get your spam increased exponentially. I don't know about Twelve Horses. Aer Lingus should have done the decent thing and notifying their customers about their arrangement with Twelve Horses, instead of surprising them with an unknown Marketing company, no mater where the IP address originates from... Under the existing circumstances you can't expect me just to click on an "out-of-the-blue" link to "opt-out"...

And finally: I wouldn't send this to Spamcop before taking some measures. I called this morning to Aer Lingus, and their Marketing department confirmed they are outsourcing their campaigns to Twelve Horses.

I also called Twelve Horses. To my pleasant surprise, the lady on the phone was very professional and polite, listening carefully to my concerns, took my details and told me my name will be taken out of the list, advising that the problem originates with Aer Lingus, as they may send my name again for the next batch.

I still strongly disagree with Aer Lingus having used my details without my consent. I plan to raise a format complaint to them.

Regarding Twelve Horses, I am quite satisfied with their reactiveness, on the phone and by David Malone on this forum.

Regards,
Butch

oscarBravo · 01-11-2003 2:09pm

Originally posted by Butch
Needless to say, I ticked this option, clearly opting out of marketing promotions, but Aer Lingus doesn't seem to pay much attention to this.

[...]

I still strongly disagree with Aer Lingus having used my details without my consent. I plan to raise a format complaint to them.

Take it straight to the Data Protection Commissioner. Sounds like a clear breach of the DPA.

BrianD · 03-11-2003 11:15am

Butch, Aer Lingus were wrong to send you e-mail if you opted out. If they sent it in error and as long as they take the steps to rectify it then it is really not a major issue.

You are wrong is saying that Aer Lingus were breaching your confidentiality by using a third party to execute their bulk e-mailing. Many companies use third party providers for a whole range of functions accross their field of operations. It is very common for companies with large mailing lists - whether postal or electronic - to use specialist companies to manage and execute their campaigns. Most of the time you are unaware that a third party is doing this for them. It is really irrelevant who does it as long is conducted legally and responsibly. Aer Lingus have absolutely no need to inform their customers of this ... why should they?

Personally, I am very interested in the area of data protection and companies dubiously using data but I think you're going overboard by saying that you are going to complain? What will your complaint be?

Bard · 04-11-2003 12:27pm

I signed up for regular updates from Aer Lingus so I get this all the time.

I don't care who's sending it... I signed up for it.

No big deal.

oscarBravo · 04-11-2003 12:40pm

That's fair enough, Bard, but the point is that Butch explicitly asked not to be contacted, as is everyone's right under the Data Protection Act.

ColinM · 04-11-2003 12:52pm

I opted out of all options presented by Aer Lingus too, but I got junk mail delivered to my house instead.

BrianD · 04-11-2003 4:16pm

Well Butch needs to explicitly tell them to stop contacting him! They take him off the list and case closed! Butch seems to be implying that there is something sinister about the affair with third party providers etc. They just made a cock up and they deserve the opportunity to amend the situation so that Butch no longer receives their mail.

On an aside, I heard a great story about a "junk mail" campaign that started when a well known international news magazine sold their subscription list. The recipients got unsolicited mail (possibly with products)along with a postage paid envelope to the Netherlands. Irate recipients simply taped the envelope to a red brick and put in their local post box. The mailer had to pay for all these bricks to come from around Europe and it soon put an end to this junk mailers activities!!!

oscarBravo · 04-11-2003 8:16pm

Originally posted by BrianD
Well Butch needs to explicitly tell them to stop contacting him!

He already did, that's the point!

They take him off the list and case closed! Butch seems to be implying that there is something sinister about the affair with third party providers etc. They just made a cock up and they deserve the opportunity to amend the situation so that Butch no longer receives their mail.

That's what the complaint is for. We have a Data Protection Act for a reason. What makes it serious is the fact that, despite being explicitly told not to, they gave Butch's contact details to a third party.

BrianD · 04-11-2003 9:00pm

Oscar Bravo, I think you need to read back through the postings as you are missing the point!

Butch states he has opted out of mailings but has received a mailing. He needs to inform aer lingus of this ... they have deliberately or inadvertantly sent him a mail despite his express wishes. There is nothing to indicate that he has received mails after informing aer lingus of this (assuming that he has).

There is no evidence to suggest that Aer Lingus have passed his details to a third party. They are using the services of an outside provider to execute the mailing but this is entirely different to different to selling/renting the list to another commercial entity.

If Aer Lingus have complied with Burch's to remove him from their list then they have complied with the Data Protection Act.

Let's stick with the facts please!

Butch · 04-11-2003 9:24pm

BrianD,

I disagree.

Originally posted by BrianD
He needs to inform aer lingus of this ...

I already did so when I opted out for the first time. Even if they did it "inadvertantly" or not, doesn't change the fact that they didn't comply with the DPA. Full stop.

Originally posted by BrianD
There is no evidence to suggest that Aer Lingus have passed his details to a third party. They are using the services of an outside provider to execute the mailing but this is entirely different to different to selling/renting the list to another commercial entity

And what exactly is "another commercial entity" if not a third party?. I don't have control over the terms and conditions under which Aer Lingus provided 12H with my information. I gave my information to Aer Lingus only. I never authorised them to give it to any third party, no matter how pure their commercial record is.

Originally posted by BrianD
If Aer Lingus have complied with Burch's to remove him from their list then they have complied with the Data Protection Act.

Again, see my point above. I did it when I opted out. This is what they should have complied with on the first place. They didn't.

Regards,
Butch

BrianD · 04-11-2003 9:41pm

Butch, I don't agree with your interpretation of third party. Aer Linguss pasing on your details to another company who does the "envelope stuffing" (electronically of course) just isn't passing on your details to a "third party". There's tonnes of comapnies who outsource parts of their business - look at the banks or anybody else who holds your most sensitive and personal details. I would guess that large parts of Aer Lingus.com and their payment facilities may be outsourced (I may be wrong but it is not an unreasonable assumption to make.

Passing a list on to a third party is where the third party would have full use of the list for their own purposes. I think you have got to accept that! I don't think service providers count (nor do they count under the Data Protection Act). You do have control over the terms and conditions as these are the T&Cs that apply if you had of opted-in (and we know you did not). Your agreement would be with Aer Lingus not with any service providers.

I wholehearted agree with you that they should not have added you to their mailing list if that was your wish. You do have a business relationship with aer lingus as a customer. If they added you in error they should remove you. I really don't see what the song and dance is about as if there's some sort of conspiracy.

oscarBravo · 04-11-2003 10:56pm

Brian, the definition of a third party is not a question of interpretation. When Aer Lingus outsourced a marketing function (as they are perfectly entitled to do), they handed over a list of personal data to another company. In this case, Aer Lingus are Data Controllers, and 12 Horses are Data Processors.

All this is clearly explained on the Data Protection Commissioner's website. A key point:

If you obtain peronal information for a particular purpose, you may not use the data for any other purpose, and you may not divulge the personal data to a third party, except in ways that are "compatible" with the specified purpose. A key test of compatibility is whether you use and disclose the data in a way in which those who supplied the information would expect it to be used and disclosed.

Butch provided personal information for the purposes associated with the online service, and explicitly stated that it was not to be used for marketing purposes. It was disclosed to a third party solely for marketing purposes. It seems clear-cut to me.

I don't see a "song and dance" being made here - this isn't just a mistake; it's a breach of the type of controls Aer Lingus are supposed to have in place as a registered Data Controller.

BrianD · 05-11-2003 2:27am

Well you have found the paragraph that exactly sums up my point! 12 Horses are a "data processor" and not a "third party" and it is not unreasonable to assume that such a company may be employed to process the data that a company collects from the customers. However, you are a bit selective on quoting from the act! The paragraph immediately after the one you quoted reads:

Note that transfers of personal data to agents of yours, who are carrying out operations upon the data on your behalf and not retaining it for their own purposes, do not constitute "disclosures" of data for the purposes of the Act.

Therefore the airline has NOT handed their list over to a "third party" - by this I mean another company who would actively use this list for their own marketing purposes. We have to be clear cut, as you say, here - the data was not being used by a third party for marketing purposes merely being processed on behalf of the airline, the data controller.

I have repeatedly stated that the airline were wrong to send Butch marketing material when he expressly stated otherwise. It does raise an interesting topic of debate. Butch's personal data is going to be stored somewhere at the airline - he is a customer after all. In most businesses it is not unreasonable for the supplier to contact their customers with new offers, product news etc.. A fair use of the data - I think so. It is quite simply, rude but not illegal for the airline to send Butch data when he doesn't want it!

Sloppy data entry is probably why Butch received a mailing from a company of whom he is a customer. However, as long as Butch points this out to the airline and they rectify the situation then the airline are acting according to best practice (they have to confirm that they have removed you in writing within 40 days).

Much of the DPA legislation is aimed at "direct marketing companies" i.e companies who market on behalf of others. The airline in question is not a direct marketing company. Note that the airline does not need to register as a Data Controller.

Aerlingus Spam - Twelve Horses

Comments