Wednesday, April 06, 2011

In Defense of Epsilon (A Work-Related Post)

So if you have an email address, most likely you've heard from a company informing you of a security breach at the hands of Epsilon.

Like most people at this point, you're probably asking "Who's Epsilon and why do they have my information?"  And if you're reading normally credible sources like MSNBC or CNET News, you're actually becoming more misinformed the more you read, and it's quite disappointing.

I read today of someone who got an email from US Bank about the breach and immediately drove to their local bank and demanded of the teller why his bank had given his information to Epsilon.  Of course, that went nowhere so he made his way up to harassing a manager.  A fruitless waste of everyone's time, to be sure.

So, I feel compelled to explain what Epsilon really is.  And I think it's easiest to start with an analogy.


When your state government wants a bridge built, they subcontract the actual construction out to a construction company.  Instead of having its own staff to keep track of the latest trends in construction, instead of owning all the construction equipment, it makes sense to hire someone who's an expert in that field - that's all they do.  And as such, they do it well at a good price -- they have an incentive to do so, they want more business.

Similarly, Epsilon is a subcontractor.  Sending large quantities of opt-in -- requested -- email (not spam) is a complicated process.  Going it alone is a process not for the faint of heart.  Success is near impossible and it ends up being quite costly.  Epsilon (and other companies like it) help make this process similar.

A second analogy: Internet Service Providers (ISPs) -- like Comcast, Yahoo!, AOL, Hotmail, Gmail, etc. -- are like apartment buildings.  When you send mail to them, the mail ends up in the manager's office and it's up to the manager to deliver the mail to all the residents.  Only the manager doesn't like it -- the tenants complain if the manager brings them mail they don't want.  And the tenants complain if the manager decides the tenant probably doesn't want the mail and drops it in the trash for them.  And there's so, so much mail.  It never ends.  And the apartment complex manager keeps cutting the manager's hours.

So actually getting email delivered is a difficult job.  It's not like postal mail where the U.S. Postal system will deliver whatever kind of spam just so long as they get paid.

So enter the Email Service Provider.  The Email Service Provider has the big huge machines capable of sending out large quantities of email.  And they have the staff who keep up with the latest regulations as well as the latest requirements of the ISPs (how many emails per connection, how many connections per hour, etc.)  They also keep all their customers in line by making sure their customers are being careful about how they acquire email addresses.  They also automate the process of removing bad and expired email addresses from the file as well as honoring the requests you make by clicking on "unsubscribe" or replying to the email with the word "remove" or "unsubscribe" in the subject line or in the body of an otherwise blank email.  (Yeah, did you know that trick?)

So any company whose data was stolen willingly placed it there in the first place -- they contracted with Epsilon to deliver the email on their behalf.  They uploaded your information to Epsilon.  They were not paid anything by Epsilon (they actually paid Epsilon a good deal of money) and Epsilon would not in any way use the information themselves.  (This is a narrow interpretation - Epsilon is part of a larger company that does more stuff with data.  However Epsilon was a smaller company that bought the product (Bigfoot) of an even smaller company and rebranded the product (Dream - hosted, DREAMmail - onsite installation) and then let it languish for a decade before reskinning it a hideous purple.)  Epsilon itself was purchased which probably contributed to the lack of innovation and change with the cash cow.

The interesting thing is that Epsilon is saying that only 2% of customers were impacted, but they seem to be huge names.  Even if they are 2%, what percentage of Epsilon's business, or what percentage of Epsilon's send-traffic does this represent?  And why these companies?  What makes these 2% stand out?  What did they do differently?  Did they have more advanced access?  Special APIs?  FTP sites?  Where was the weak link in the chain that ties these customers together?  That's what I'd like to know.  Of course, we never will.  They won't even disclose the entire customer list.

My employer is a former customer of Epsilon.  I was able to confirm that we were not impacted.  (Why would they still have data if we are no longer customers?  I don't know all the specifics, but I'm pretty sure they would need to retain information on who was emailed what for compliance and legal reasons.

We did not leave Epsilon because of any concerns over data security or integrity (this is a huge black eye for them and their lack of transparency isn't winning them any friends) but instead because of the lack of innovation on their platform.  We were pretty certain there was new things going on in the world of email and that Epsilon wasn't keeping up.  We conducted an RFP, invited in the top scoring vendors as well as Epsilon and at the end of the final round, Epsilon did not place at the top and we transitioned to a new vendor.

Now some of you will have read to the end and say "How can you do this for a living?  You're a spammer!"  If you go by the simple definition that "Spam is any unwanted mail." then you can call me a spammer, but that's an unfair definition.  Most organizations that mail you mail you because of implied or implicit permission. You provided the email address as part of a financial transaction or you specifically signed up and said "Send me email!"  Now the latter is the preferred method, but the former is also both legal and generally accepted.  If you later determine you don't want the email, you need to unsubscribe.  (Clicking "This is spam" is not fair.) But if doing so (from an emailer you recognize) doesn't get you off, then, yeah, click "This is spam" and complain to the abuse@ from the ESP itself.

No comments: