Last week was a rough one for LinkedIn. And their password breach continues to cause problems. LinkedIn did the right thing by notifying its users that their accounts had been compromised, but apparently a lot of those notification emails went astray.
It seems that a large number of LinkedIn’s thoughtfully crafted emails have been caught in spam filters. It’s not that they too closely resemble Vi@gr@ ads or phishing, quite the contrary. So, what’s the problem?
The problem with these emails is not unique to LinkedIn. There are a lot of sites that would have this problem after such a breach, not even just social networking sites. Though social networking sites can be some of the worst offenders, due to their dependence on users as content generators.
The problem is that these sites are spammy. Spammy sites send too many notifications without providing their users with enough options to allow them to get only emails that interest them. So users will train their spam filter to send all notices into the dustbin. This is exactly what has happened to those breach notification emails.
There was one social networking site that I was once a member of that was so bad about this that I rage-quit it entirely. As a regular user you would see notices of new events, notices of comments on events, notices of system changes, notices for messages, friend requests, reminders of upcoming events, etc. There's a few dozen of emails a day. And then as an organizer of events you would also get a message for every person RSVPing for an event. There’s another handful of notices drowning out everything else in your inbox.
There was very little you could do to change this, short of disabling notices entirely. But of course turning off notices required you to log in constantly to dig around for the information you needed. Is this a social networking site or a full-time spam-wrangling job? Had something important come in the midst of all that, I would never have seen it, despite the fact that it's my job to be on the alert for these things.
People want to get deals and information from websites they join, but there is a very fine line between that and notification fatigue. This is creating a perfect storm for a very nasty situation. There are four things that are contributing to some very bad security hygiene:
- Many sites are still not taking privacy and data security seriously
- Many sites are spammy about contacting their users
- Phishing is sufficiently sophisticated that many people can’t tell good emails from bad
- People have so many passwords to remember that they re-use usernames/passwords
In this situation, users can scarcely be blamed for wanting to ignore security. How do you win at this game?
In the Internet era, it’s become very difficult for software vendors and website operators to know what to do to keep us safe. There are a lot of people operating with less information than they need to keep our data safe. And the consequences for data loss and identity theft are growing as our lives get increasingly Internet-entangled.
What could be done about this? What should be done about this? It’s hard to say. It is my hope that some standards or certification become commonplace, which let developers know what they need to do, and let customers know they’re reasonably protected.