DEV Community

Cover image for I was emailed after abandoning a registration form. I did not click Submit. This is not ok.
Heshie Brody
Heshie Brody

Posted on

I was emailed after abandoning a registration form. I did not click Submit. This is not ok.

We had a baby recently and my wife and I were online shopping for breast pumps. Our health insurance company website redirected me to a website named aeroflowbreastpumps.com where they had a form that I could input my insurance details and this website would take care of the billing for me and have my insurance pay for it.
I filled out the form but did not submit the form yet since my wife wanted to get some more feedback on which model we were going to purchase.

Approximately 10 minutes later I got an email from "aeroflowbreastpumps.com" telling me how close I am to qualifying for a breast pump.
Email ad

I was quite shocked since I knew I had never clicked submit and I still had the tab open in my browser with the information filled out.
So I decided to try it out with another email address of mine and see if it'll happen again.

Sure enough it did...!

I took some screenshots so you can see for yourself:

  • The Website Posting Form Data Before I Click Submit:
    The Website Posting Form Data Before I Click Submit

  • You Can See The Params Being Added To The Query String(The initial email is shown below)
    You Can See The Params Being Added To The Query String

  • Scripts Initiated By Input Change
    Scripts Initiated By Input Change

  • The website will try to track any activity and save it with the email it took.
    Email Input Trigger Code
    Email Input Trigger Code

Who's Is Behind This Technology?

The company behind this is called AddShoppers.
AddShoppers has a program named "Email Retargeting® Co-op + SafeOpt® Consumer Rights Management Integrated Platform"

Let them explain it to you in their own words:

  • The Problem: Customers Don't Always Want To Give Their Email... The Problem

"Regardless of email acquisition..."

  • The Solution: Network many sites to a point where at least one knows who you are, once identified that website will share it with the rest of the network.

Alt Text

Now, let's think about how this would play out off-line with your physical presence.
Imagine if every store you visited would take a picture of you and then share and compare it with neighboring stores until they find one that you are a customer of and has your information.
If such an agreement was in place, that store would now share who you are with the store that you are not yet a customer of and then add you to their marketing list.
This is exactly what "AddShoppers" does.

Scary(and creepy)...!

I'm not accusing them if this is legal since this is way out of my realm and they probably have a legal team to back this kind of stuff but it's still not ok. It's not right.
If your going to take my email address then at least let me know before I type anything.
Spamming customers will make them lose trust in you more than anything.
Integrity, communication and honesty are not just for real life social interactions.

The internet is real. The people using it are real. Be real.

Top comments (95)

Collapse
 
cubiclesocial profile image
cubiclesocial

Well, that's a clear violation of the CAN-SPAM U.S. Federal Law if there ever was one. The penalty for sending spam like that is $16,000 USD per violation with no limits enforceable by the FTC (i.e. if they send a mere 1,000 such messages, that's punishable for $16 million USD). And the Federal government sure could use the cash right now.

But it seems like you could do some exciting things with that form. Fill it in with: 'abuse@ theirwebhostingprovider.com' (whoever their provider is) in an Incognito window from a different WiFi network than yours and see what happens. If their system sends an automated email about breast pumps to their own hosting provider's abuse department, that will be quite difficult to explain away! "Um, we sent that message...because...um...we'll have to get back to you on that..."

Collapse
 
_hs_ profile image
HS

Super funny, love it, it's basically trolling.

On the other hand they could be in range of law where they have the right to keep these things and send such emails. Some sites have Terms & Conditions which makes them avoid these kind of things. I don't think this can go directly under CAN-SPAM. You actually went to the site filled in email yourself willingly giving away the address. Now it might be in T&C on their site that you accept such thing if you proceed.

Problem for them might be that you didn't press "I accept / agree / Allow ..." and they just have the info somewhere hidden which I'm unsure how much would it make an issue for them.

Collapse
 
helanan profile image
Helana

Very true, Im sure they are not allowed to sell their platform to Canadian companies, I wish we had the same protection in the US but unfortunately we do not. I used to work for a couple of popular email marketing platforms and honestly the people who are buying this companies services/platform are idiots. This is a terrible way to target new customers. No one responds to spam mail well, the amount of click thru's and actual ROI you would see from a platform like this has to be very very low. You make a great point also that half of the data that they do acquire is most likely dirty data that isn't even useful! This is essentially a very legal scam.

Collapse
 
jonstrayer profile image
Jon Strayer

It doesn't read to me as of they read the email address out of the form. What I think was going on is that he had freely given his email address to another customer of AddShoppers and AddShoppers passed it on to Aeroflow. So the problem is either browser fingerprinting or third party cookies. My bet is on the cookies.

Collapse
 
garretharp profile image
Garret

They use liquidweb.com for those wondering!

Collapse
 
blindfish3 profile image
Ben Calder

Not cool, and the saddest part is that there are developers out there willing to facilitate this unethical behaviour. I would rather quit my job...

Collapse
 
djsullenbarger profile image
David Sullenbarger

That's an awesome idea until you have kids.

Collapse
 
blindfish3 profile image
Ben Calder

No. That's a cop-out. I have kids; and I want to make the world a better place for them. If everyone makes a stand against this kind of crap then employers will stop expecting developers to screw over their fellow humans for the sake of a quick buck.

Fortunately my current employers also have appropriate ethical standards. If yours don't then start looking for another job; or better still raise you concerns with them. Case in point: I totally respect the Facebook employees making a stand over Zuckerberg's lame response to Trump's incitement to violence towards protesters in the US.

Thread Thread
 
djsullenbarger profile image
David Sullenbarger

Then you'll agree to pay my mortgage (or rent), fill up my fridge, keep my lights on and keep my kids in their private schools (my choice, and I do not care if anyone disagrees).

Agreed, if everyone takes a stand, but that's not happening over something this trivial .. and I really like my life the way it is. This is not the hill I would even consider dying on; you can have it.

Thread Thread
 
dtobias profile image
Dom

Your point would be valid if he wasn't a developer drowning in job opportunities (unless he's a very bad one maybe.. but even then)

Thread Thread
 
blindfish3 profile image
Ben Calder

I guess there has to be some balance though: there presumably are developers out there for whom job security is not guaranteed; or too great a risk (as TH Jones II reasonably suggests). But in that case I'm not sure I would consider an employer who engages in shady/illegal practices as a safe long-term bet and would still be looking to move on.

As for David - he clearly enjoys his privilege. I don't disagree that in the grand scheme of things this is a comparatively trivial example; but the question is: where do you draw the line?

Thread Thread
 
djsullenbarger profile image
David Sullenbarger • Edited

Very very far from here. And don't think I missed the brush you're trying to paint me with by using the word 'privilege'. FFS, I'm a 48 year old liberal ... it's just that the world isn't as black and white (i.e. simple) as I used to think it was.

Gosh darn, now I know how it feels to be on the receiving end of shiat like this.

Thread Thread
 
blindfish3 profile image
Ben Calder • Edited

Sorry if I've offended; but let's be clear: most full-time employed developers are in a privileged position - myself most definitely included. IMO we should therefore take some responsibility for the world we are helping to create. If we're not willing to push back over something this 'trivial' then where does it end?

In Europe what this company did would be considered illegal. To me that's a clear line I won't cross. In fact that makes it an easy decision to make and an easy stand to take; however complex the world happens to be. Maybe it's not what you intended; but your response gave the distinct impression that your material comforts were well worth the price of breaking this 'trivial' law.

Thread Thread
 
djsullenbarger profile image
David Sullenbarger

"but your response gave the distinct impression that your material comforts were well worth the price of breaking this 'trivial' law."

No, my point was it's not 'illegal' (loaded term) here and I already bitch about the cops (as a white guy and have for years), selfish policies (basically: 'conservative' ideals) and privacy (believe it or not) ... but I also know (my peers) don't know too much about GDPR and as soon as I mention it's a "Euro" thing 1/2 of them would tune me out (not sure I blame them) and the other 1/2 would probably roll their eyes

I do enjoy honest debates and I do not consider your privacy (or mine) trivial in any way whatsoever and I think the current state of affairs is disgusting (on both sides of the pond). To me, it seems like the problem I run into is that I have a very measured, pragmatic approach to things (it comes with age so they say) ... and don't think it's quite time for a lot of very important things (yet, sadly) so people think I'm arguing against an idea ... I'm usually not. People (rightfully) want to fix everything that broken right now .. and in my experience that's just not the way things work in the real world.

Let's fix the obvious problems with criminal law first. Not addressing this first (and by itself) is offensive to me and trivializes real suffering . You can have my freakin privacy if it'll keep people alive (which should be a false dichotomy in a free society) and out of jail (unless you are actually dangerous to society)

Thread Thread
 
blindfish3 profile image
Ben Calder

I guess we're looking at things from somewhat different cultural perspectives. The impression I have of the US is that things are really weighted against you: on face value it all looks so appealing - if you happen to be on the right side of the social divide. But if there really is no safety net and you fall on hard times you're essentially a slave to whatever system those with power have set up.

To put my original comment in context: I was able to give up both a toxic work environment and (IMO) a toxic country (the UK); move to another country with no contacts - and where I don't speak the language - and find gainful employment all in the space of 6 months. I appreciate that not everyone has that luxury; but that's precisely my point: those of us who do should use that leverage to effect meaningful change. So if an employer did put me in a position that went against my personal ethics (let alone the law) and resisted all my attempts to push back I really would have no hesitation to quit.

Thread Thread
 
djsullenbarger profile image
David Sullenbarger • Edited

"..I have of the US is that things are really weighted against you"

Heh, it's funny how much things change. When I lived 'abroad' in the late 80's and early 90's I was distressed to learn how much everyone else in the world seemed to be paying attention to everything we did and said (looking for a 'sign', it seemed) ... actually, a lot of the people who lived in the 'shiat hole' countries seemed to have the impression we were mere minutes from swooping in and saving them from something or another.

It was an unrealistically high opinion that was obviously going to to swing to the other extreme at some point (which it has) ...

Every place has good and bad parts my friend and I prefer being here ... or down in Australia. Not real fond of European culture .. it felt inscrutably "class" based (to an outsider at least) and I can't think of many things that bother me more (though I do enjoy hanging with Slavs ... )

Collapse
 
ferricoxide profile image
Thomas H Jones II

Ideals are great and all, but, until there's a meaningful social safety-net that affords me the luxury of taking a stand any time an employer decides to do something shady, best many of us can do is go into active job-search mode and walk at the first opportunity.

Unfortunately, in the US, if you have any chronic health conditions (or responsible for someone who does), you're kind of constrained.

Collapse
 
djsullenbarger profile image
David Sullenbarger

"but, until there's a meaningful social safety-net that affords me the luxury of taking a stand any time an employer decides to do something shady"

a.m.e.n.

I get sooooo tired of hearing "just quit" like that's even remotely possible these days (for 98.9% of us)

Thread Thread
 
ferricoxide profile image
Thomas H Jones II

When I was still in my 20s, single with no mortgage or pets, it was doable. Now, with a wife with chronic health conditions, mortgage and pets, my ability to take a stand on principle requires a lot more deliberation.

At best, a given thing can make me decide, "time to shake my professional network to see who's hiring" or otherwise refresh my resume and jobsite-presences, but that's hair-trigger as I can currently be.

On the plus side of COVID-19 and its potential lasting-effects, I don't necessarily automatically have to give up my work-from-home just to take a new position.

Collapse
 
pozda profile image
Ivan Pozderac • Edited

Yo, what about GDPR or similar laws? In the Europe this is not legal.
When GDPR started, I was thinking, oh not another cookie notification, but then I realized that it is kinda cool to ask people if they actually want to give away they details, not just take them. It is civilized thing to do.

I am not so familiar with US laws about privacy and spam but as I remember they can't send you anything until you submit your email, right?

We should stop this next level black-hat data scraping/stealing shenanigans!

Collapse
 
fnuttens profile image
Florent Nuttens • Edited

As a wise man once said:

You were so preoccupied with whether or not you could that you didn't stop to think if you should.

Seriously, I think their place in dark patterns's hall of shame is well deserved 🙄

Collapse
 
bradsmithsc profile image
Brad Smith

I recall a demo where a visitor while entering the 3rd 4th and 5th chr of their ZIP code (US), the corresponding address information would filter down then autofill the city and state fields.

The fields were asynchronous and could be tied to any data point. That was the point of the demo. The user never had to submit the data.

Collapse
 
nirlanka profile image
Nir Lanka ニル

I'm speechless. This is very creepy. Gotta build a browser extension that monitors requests being made while filling forms (though now that I think of it, that may not be allowed).
Wish there was a legal way to handle this.

Collapse
 
arerbacad profile image
arerbac-ad

Maybe could be an extension that holds the value of every input, and fill them when de form is submited.

Collapse
 
nirlanka profile image
Nir Lanka ニル

I'll tell you once I've started on this hopefully this weekend 🙂🍻

Collapse
 
kp profile image
KP

i dont get it. How would this monitor that the website is spying and making ajax requests?

Thread Thread
 
nirlanka profile image
Nir Lanka ニル • Edited

I didn't research yet. My initial thoughts were either:

  • monitor inputs and check if requests are sent with that data (not sure about extension permissions allow this)
  • or just blindly replace some critical input fields (name, email, etc), record the inputs and put them back into the form before submit. (credit to arerbac-ad for coming up with the idea)

I'm not 100% sure we can do this, but we wanted to try out some ideas and see. Do you think these ideas won't work for technical reasons?

Thread Thread
 
kp profile image
KP

I get it now. The original answer wasn't as clear.
There will be some technical challenges to doing this, but I'd be interested in following your progress if you share a link to your repo (or better yet, a demo)!

Thread Thread
 
nirlanka profile image
Nir Lanka ニル

That sounds wonderful! Thanks for your support. I will try and start the basic implementation, so we can have a look and consider our options or improve. I have only limited experience building Chrome extensions, but I'm sure if we put our heads together we can build a feasible solution somehow.

Thread Thread
 
nirlanka profile image
Nir Lanka ニル

I was just browsing around, and thought this extension had some characteristics we could look into (monitoring request body etc). Need to check thoroughly.
chrome.google.com/webstore/detail/...

Collapse
 
nirlanka profile image
Nir Lanka ニル

Hey, that's a clever idea! Thats very good. Will look into it. 😊👍🏻

Collapse
 
nirlanka profile image
Nir Lanka ニル

Im considering the implications of handling autocomplete and input validations.

Collapse
 
heshiebee profile image
Heshie Brody

Great idea! Let me know if you need any help, would love to collaborate.

Collapse
 
nirlanka profile image
Nir Lanka ニル

Thanks! Let's do it. I'll try and setup a Chrome extension codebase. Will try and start it this weekend. Will link it here. I'll add the base implementation and we can work together on it. Does that sound like a good plan?

Thread Thread
 
heshiebee profile image
Heshie Brody

I'm committed to a project until the end of June.
Will try to add as much as I can until then.
Please dm me so we can exchange contact info.

Collapse
 
uehondor profile image
Uyi Ehondor • Edited

Reading the T&C at aeroflowbreastpumps.com/terms-and-..., it includes this line “By signing and submitting this form, I consent to receive phone calls, emails ...” which to me suggests you shouldn’t have received an email until you hit the submit button.

So it appears they’re in violation of their own T&C.

Collapse
 
heshiebee profile image
Heshie Brody

Exactly! I did not find anywhere on their site mentioning this behavior.

Collapse
 
code_regina profile image
Code_Regina

Very interesting post. The state of privacy seems to only be getting worse as companies are getting very desperate to squeeze more and more data out of each and everyone of us. Thank you for posting the behind the scene code to this.

Collapse
 
kovidr profile image
Kovid Rathee

This is horrible! Given how much people care about privacy, I am sure thousands of companies are doing this. Good that you shared this story with us. As @sebastian said, we should hope our dislikes are heard.

Collapse
 
trasherdk profile image
TrasherDK

Substitute developers with soldiers and think Nuremberg trials

Collapse
 
rogerthat35 profile image
Amy Rogers

The exact same thing happened to me just a few days ago. Funny thing is, it didn't make me want to buy the product any more... just creeped me out. Great article, it was interesting to see how it works behind the scenes.