Privacy Watchdog, ESRB, Itself Leaks A Thousand Emails

An employee for a privacy group made a rookie mistake by sending a Reply-All email and actually breached the privacy of people who had emailed their concerns to the group about their privacy. The irony of this story about the Entertainment Software Rating Board (ESRB) is something to be marveled over…

It began when Blizzard recently proposed a Real ID implementation to expose identities on its forums. A public outcry occured and Blizzard retracted the idea, proving the masses can still save privacy. Then in a sad, sick twist of events, ESRB accidentally leaked all the email addresses of those that contacted them to report their concern about online privacy.

ESRB responded to the nearly 1,000 folks who had emailed with complaints about Blizzard’s decision to implement Real ID. Unfortunately, instead of using the BCC feature, an ESRB employee seems to have committed a rookie mistake by hitting “Reply All.” Yesterday, the ESRB issued a statement apologizing to the nearly 1,000 privacy-minded people whose email addresses were exposed.

This is the last paragraph of ESRB’s initial “reply all” response:

ESRB, through its Privacy Online program, helps companies develop practices to safeguard users’ personal information online while still providing a safe and enjoyable video game experience for all. We appreciate your taking the time to contact us with your concerns, and please feel free to direct any future inquiries you may have regarding online privacy to our attention.

This is an excerpt from ESRB’s issued email apology for the privacy blunder:

The fact that our message addressed individuals’ concerns with respect to their privacy underscores how truly disappointing a mistake this was on our part. We work with companies to ensure they are handling people’s private information with confidentiality, care and respect. It is only right that we set a good example and do no less ourselves.

Although I’m not condoning the ESRB privacy breach, it’s certainly not the first time or the worst time that a company was caught disregarding its users’ email privacy. In December, Yahoo wasn’t happy when a copy of the spying services it provides law enforcement agencies was published on the whistleblower site Cryptome. They, and other companies, commonly sell your email addresses and much more.

ESRB did not remark on if the Reply All privacy breach resulted in an email storm. If you’ve worked in IT for long, you’ve surely suffered due to the Reply All email feature — be it a careless, clueless employee or an email storm caused by multiple members of an email distribution list hitting Reply All at the same time in response to the instigating email message. Then more people reply to the list to say things like stop %*$@^! replying to all. The chain reaction creates a tremendous traffic load and can take down email servers similar to a DDoS attack.

Even the Department of Homeland Security suffered an email storm, accidentally injecting itself with a DDoS in 2007, when a job-changing security consultant hit the reply-to-all button. His message was sent to every subscriber of DHS’s Daily Open Source Infrastructure Report, inadvertently exposing hundreds of security pros’ names and email addresses. Attempts to recall the message were futile and then so many emails were sent that one subscriber finally replied to all, “May the fleas of a thousand camels infest your armpits and may a yak in heat make love to your shin.”

Although the loss of privacy is not funny, after the storm passes, companies can often laugh at the disastrous email snafu in hindsight. For example, in 2009 the Microsoft Exchange Team Blog retrieved a “You Had Me at EHLO” email storm in which a Microsoft employee noticed a distribution list ‘Bedlam DL3’ and emailed the list asking to be removed. This list contained 13,000 email addresses, approximately a quarter of the company’s employees. Other users replied to the list asking to be removed, before still others responded with pleas to stop replying to the list. A Microsoft employee estimates that 15 million emails were sent, using 195 GB of bandwidth. This happened in 1997 and took about two days of constant work before the email system recovered from the millions of copies floating around. “When it was over, the team firefighting the crisis had t-shirts made with ‘I survived Bedlam DL3’ on the front and ‘Me Too! (followed by the email addresses of everyone who had replied)’ on the back.”

I hope ESRB learns from leaking email addresses of those concerned about online privacy, even if it has to take desperate measures like disabling the reply-to-all function like when Nielsen Deleted Reply-To-All Button.